‘Indestructible’ Malware Strain Infects Millions of PCs

A new strain of super malware infected more than 4.5 million PCs in the first three months of 2011, and shows no signs of slowing down.

The malware, a rootkit variously called TDSS, TDL or Alureon, has been active since 2006, continually evolving and growing more powerful. Due to its devious and damaging capabilities, it is nearly impossible to detect and has been called “indestructible” by researchers at the security firm Kaspersky Lab.

Its newest variant, TDL-4, is “the most sophisticated threat today,” Kaspersky wrote. Often hidden on adult content and bootleg websites, as well as file-storage services, TDL-4 infected 4,524,488 computers around the world from January through March of this year.  A quarter of them were in the United States, the most lucrative market for cybercriminals.

Once it worms its way into users’ systems by bypassing authentication protocols, TDL-4 opens a “back door” to cybercriminals, making it possible for them to load keystroke loggers, adware and a host of other malicious programs onto the infected computers.

TDL-4 allows attackers to remotely take over infected systems, manipulate search engines and act as “a launch pad for other malware,” Kaspersky Lab wrote.

Like other rootkits, TDL-4 inserts itself into the kernel, the main program at the heart of a computer’s operating system, making it extremely difficult to detect or remove.

Microsoft shielded Windows 7 against rootkits by demanding that all new software show digital certificates signed by trusted sources before installation.

But TDL-4 has gotten around this obstacle.  It now infects the master boot record of a PC, the section of the hard drive that the computer reads when starting up, and alters Windows 7 upon loading to permit unauthorized software installations. TDL-4 is present before the computer is even up and running.

“I wouldn’t say it’s perfectly indestructible, but it is pretty much indestructible,” malware expert Joe Stewart of Dell SecureWorks told Computerworld. “It does a very good job of maintaining itself.”

TDL-4 encrypts the protocol used for communication between infected computers and the command and control servers of the master botnet — a massive network of Internet-connected computers programmed to distribute spam and malware and launch cyberattacks.

This encrypted connection makes TDL-4 difficult to detect, and even more difficult to slow down its spread.

It also does a security scan of its own, seeking out and destroying competing viruses, Trojans and worms in order to dominate the environment and lull the PC user into thinking everything’s OK.

Finding TDL-4 is a little like detecting a black hole in outer space — you can’t actually see it, but you can observe its distorting effects upon system processes and network traffic. Removal would mean erasing the entire hard drive and reinstalling the operating system.

It is “one of the most technologically sophisticated, and most complex to analyze, [pieces of] malware,” Kaspersky Lab wrote.

Despite its prominence, and the threat it poses to computers all over the world, there’s one place where TDL-4 has infected no systems at all.

“Remarkably, there are no Russian users in the statistics,” Kaspersky Lab wrote. This is because, as researchers explain, the cybercriminals that pay to have their spam and malware sent via the botnet “do not offer payment for infecting computers located in Russia.”

This article was provided by SecurityNewsDaily.


Email* (will not be published)
*Indicates required field
Submit Comments

  1. brendon Says:

    And that is why i use Linux. They just leave us alone.

  2. Evan Says:

    Quote: “it is nearly impossible to detect…”

    It is extremely easy to detect. Use any software that checks the boot sector integrity after the system is running. One of two things will happen: The software will stop working or it will detect the problem. Either will be obvious.

    Boot sector viruses are ancient being one of the first and most common types used with floppy discs. Once discovered the boot sector can be easily repaired without starting Windows and then started in safe mode to remove the virus. Incidentally, Linux is just as vulnerable to such an attack.

All Product Types Accessories Cars Digital Camcorders Digital Cameras eReaders GPS Laptops MP3 & Video Players Projectors Smartphones Software Storage Tablets / MIDs VoIP Wi-Fi
All Subcategories
All Subcategories All-Purpose Budget Business Desktop Replacement Gaming Multimedia Netbook Nettop Rugged Student Tablet PCs Ultraportable
Acer Alienware Apple Archos ASUS Averatec BenQ CTL Corp. Dell Digital Storm eMachines Emtec Everex Fujitsu GammaTech Gateway General Dynamics Getac Gigabyte Hercules HP HTC iBuyPower Intel Lenovo MSI Nokia Nvidia OCZ OLPC OQO Origin Panasonic Sager Samsung Sony Sylvania Systemax TabletKiosk Toshiba Verizon Viewsonic Viliv VooDoo Workhorse PC ZT Systems
Minimum Rating
Any Rating 4.5 Stars 4.0 Stars 3.5 Stars 3.0 Stars
Screen Size
10 11 12 13 14 15 16 17 18 20 4 5 6 7 8 9
1024x576 1024x600 1024x768 1200X800 1280 x 720 1280x1024 1280x768 1280x800 1366x678 1366x768 1440x1050 1440x900 1600x768 1600x900 1680x1050 1680x945 1920x1080 1920x1200 800x400 800x480
Weight Range
10.1 - 12.0 pounds 12.1 - 14.0 pounds 14.1 - 16.0 pounds 2 lbs 2 pounds and under 2+ lbs 2.1 - 4.0 pounds 4.1 - 6.0 pounds 6.1 - 8.0 pounds 8.1 - 10.0 pounds Over 16 pounds Under 2 pounds
more options