Millions of PCs around the world appear to have been quietly infected by the dangerous TDSS 'super-malware' rootkit as part of a campaign to build a giant new botnet, researchers from security firm Kaspersky Lab have discovered.
Malware and botnets come and go, but TDSS is different. First detected more than three years ago, TDSS (also known as 'TDL' and sometimes by its infamous rootkit component, Alureon), it has grown into a multi-faceted malware nexus spinning out ever more complex and dangerous elements as it evolves.
In recent weeks, Kaspersky Lab researchers were able to penetrate three SQL-based command and control (C&C) servers used to control the activities of the malware's latest version, TDL-4, where they discovered the IP addresses of 4.5 million IP PCs infected by the malware in 2011 alone. Almost 1.5 million of these were in the US.
If active, this number of compromised computers could make it one of the largest botnets in the world, with the US portion alone worth an estimated $250,000 (£155,000) to the underground economy.
The TDL-4 malware has also added technical and economic capabilities to its features list, including some that are out of the ordinary for botnets, the researchers said.
Making use of the malware's bootkit design - it infects the master boot record of a PC to allow it to load before other programs - it attempts to clean rival malware from an infected PC, searching for an nixing up to 20 different malware types, including Gbot, Zeus and Optima. This stops other programs interfering with its activities as well as hurting their commercial activities.
The researchers noticed a kad.dll component of the infection which appears to allow TDSS/TDL-4 an elaborate C&C channel to control bots using the Kad P2P file exchange network even if the primary encrypted channel has been shut down by rival botnetters or security companies.
Perhaps most intriguing of all are the economic innovations shown by the TDSS creators which help them sell it in a botnet-as-a-service form.
One of these is turning botted PCs into anonymous proxies, which Kaspersky found were being sold for $100 (£60) per month each to customers that wanted to hide their Internet use. They even discovered a Firefox add-on that makes it easier to toggle between different proxies within the browser.
"We don't doubt that the development of TDSS will continue," said Kaspersky researcher, Sergey Golovanov, who performed the latest analysis of TDSS. "Active reworkings of TDL-4 code, rootkits for 64-bit systems, the use of P2P technologies, proprietary anti-virus and much more make the TDSS malicious program one of the most technologically developed and most difficult to analyse."
The bigger question is why TDSS/TDL-4 has invested so much effort in complexity when other malware performs adequately without it. Perhaps its most infamous innovation was the 64-bit version of Alureon that Microsoft claimed in May to have removed from hundreds of thousands of systems despite the fact this version of the OS is supposed to be harder to attack.
The answer is that TDSS's creators are pioneering in their outlook. Windows might have fewer 64-bit users and the OS might be more of a challenge, but tackling it offers larger rewards because they stay ahead not only of rivals but of the software defences.
"Cybercriminals are trying to future-proof themselves," said fellow Kaspersky researcher, Ram Herkanaidu. "They know that a lot of systems are going to go 64-bit," he said.
For his part, TDSS expert Golovanov thinks TDL-4 is in the hands of a single East European criminal entity which has sold the older and less advanced TDL-3 to another criminal enterprise in the same geography.