Researchers at Kaspersky Labs analyzing the 4.5 million-strong Alureon botnet (also known as TDL and TDSS) have branded it "practically indestructible." Law enforcement agencies have had some success recently at disrupting and bringing down botnets, with Coreflood, Rustock, and Waledac all successfully disrupted. The design of TDL's underlying rootkit is going to make similar retaliatory action much harder to pull of.

TDL-4 has been specifically designed to avoid destruction—whether by law-enforcement, anti-virus software, or competing botnets. On installation, TDL-4 will remove other rootkits, an act which both deprives competing operators of income and reduces the chance that the user will notice that their system is behaving strangely and attempt to repair it. The goal of a rootkit is to remain undetected, and that includes noticing that a computer simply isn't behaving correctly.

To make this hiding more effective, the rootkit infects the system's master boot record (MBR), part of a hard disk that contains critical code used to boot the operating system. Infecting the MBR means that the rootkit code is loaded even before the operating system (let alone anti-virus software) can run; it's another move to make the rootkit harder to detect and remove. The software also encrypts all network traffic to prevent eavesdropping or hijacking by other botnet owners.

Peer to peer spamming



The most significant feature, however, is the inclusion of peer-to-peer technology in the latest version of the botnet's code. The rootkit uses the Kad peer-to-peer network, used by filesharing software eMule, to communicate between nodes. Using Kad, the botnet creates its own network of infected computers, allowing the machines to communicate with each other without relying on a central server.

This has one purpose: to make it much harder to take down the network. Previous successful botnet takedowns have depended on law enforcement agencies taking over or making inaccessible the centralized command-and-control servers used to disseminate instructions for the network. These servers tell the botnet which spam to send, which sites to target with a denial-of-service attack, and so on. Generally they are relatively few in number—a dozen or two—and so represent a major weakness in the botnet infrastructure. Though TDL-4 uses more command and control servers than is typical—around sixty so far this year—it's the peer-to-peer network that really makes it tough to fight off. With this network, the botnet's owner can retain control of the network even if the infected machines can't reach the servers.

Rootkits have used peer-to-peer networks before, but the use of such a large, public network is highly unusual. It gives the botnet an extremely robust communications system that will be nigh impossible to disrupt or overpower, and the same techniques that have been so powerful against other botnets may be impotent against TDL-4.

The malware itself is spread primarily through file-sharing and pornography websites. Earlier this month another distribution method was found; the malware creates a DHCP server that in turn makes machines use a malicious DNS server. This DNS server will redirect network users to webpages containing the malware.

In addition to the common spamming and denial of service tasks that botnets are routinely used for, the botnet's operators include an interesting proxy server component. For about $100 a month, you can use a PC in the botnet as a proxy for your Internet traffic, thereby anonymizing your Internet traffic. They even have a Firefox plugin to make it easy to use the proxy system.

Will law enforcement be able to take down the botnet? It's certainly not going to be easy. Doing so might require taking advantage of the botnet's own code; researchers have already uncovered servers running MySQL that track the systems within the botnet by sending specially crafted commands to infected machines. Such an approach may provide a key to dismantling the entire network.