By Gregg Keizer June 29, 2011 04:19 PM
A new and improved botnet that has infected more than four million PCs is "practically indestructible," security researchers say. "TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday. "[TDL-4] is practically indestructible," Golovanov said.
What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers.
"The way peer-to-peer is used for TDL-4 will make it extremely hard to take down this botnet," said Roel Schouwenberg, senior malware researcher at Kaspersky, in an email reply Tuesday to follow-up questions. "The TDL guys are doing their utmost not to become the next gang to lose their botnet."
TDL-4's makers created their own encryption algorithm, Kaspersky's Golovanov said in his analysis, and the botnet uses the domain names of the C&C servers as the encryption keys. The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.
By using a public network, the criminals insure their botnet will survive any take-down effort.
Edited by Union_Thug, 30 June 2011 - 04:43 AM.