You are here: Home » Technology » News » Mobiles & Tablets
Business Standard

TDL-4: The Virus that escapes scrutiny

Priyanka Joshi & Leslie D`Monte  |  Mumbai 

If you figure among those Indians who lurk around adult sites, sniff around pirated media hubs or are tempted by affiliate programmes, you are typically inviting trouble online. So, if you have discovered that your computer has been behaving more strangely of late, and your browser has been redirecting to you to malicious sites, a thorough check is in order. You may have been infected by a botnet variant called TDSS or TDL-4. While it has infected 4.5 million personal computers globally, it is estimated to be sitting in around 315,000 PCs in India, according to security firm Kaspersky Labs.

TDL-4 uses a rootkit attack technique to infect a machine's boot sector when a user is starting his computer (known as booting). Hence, it avoids detection by some security tools. It is said to manipulate adware and search engines, provide anonymous internet access and act as a launch pad for other malware. While botnet is a collection of compromised computers, termed bots, used for malicious purposes, a rootkit is a collection of tools (programs) that enables administrator-level access to a computer or computer network.

“The malware detected by Kaspersky Anti-Virus as TDSS is the most sophisticated threat today,” cautions Kaspersky Labs in a new warning about the botnet. “TDSS uses a range of methods to evade signature, heuristic and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control centre. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.”

TDL-4 comes loaded with capabilities that can even stop the Windows host PC from being infected by other malware or bots. TDL works via affiliate programs which offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer. Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer.

They can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services. The owners of TDL are essentially trying to create an 'indestructible' botnet, protected against attacks, competitors and antivirus companies, according to Kaspersky Labs. The average earnings per day for a major partner could reach $100,000, say ESET researchers. And, the aggregated number of unique successful installations could reach several hundred thousand. Cybercrime groups like DogmaMillions (now closed) and GangstaBucks (started in the end of 2010) are said to be responsible for the spreading of TDL over recent years.

The active spread of TDL-4 started in August 2010. Since then, several versions of the malware have been released. Compared with its predecessors, TDL4 is not just a modification of the previous versions, but new malware, according to Eugene Rodionov and Aleksandr Matrosov, malware researchers at ESET. In a paper titled 'The Evolution of TDL: Conquering x64', they say several parts have been changed, but the most radical changes were made to its mechanisms for self-embedding into the system and surviving reboot. “One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals,” they note in the paper.

The threat can be particularly nasty for the Indian PC base, as millions of people still run the older Windows XP operating systems and use outdated web browser versions like Internet Explorer 6. Data from web analytics firm Statcounter shows Windows XP commands 63 per cent of the market, followed by Windows 7 at 23 per cent share in India. “Outdated OSes would only aid the distribution and infection rates for TDL. Also, it is critically important that people have Windows Update activated on their computers,” say security experts. In an online usage and security survey conducted by Microsoft India, 50 per cent of Indians online spent close to five hours on the internet daily and nearly a fourth had been victims of cyber attacks.

Kartik Shahani, country manager, RSA India & Saarc, says, “TDL-4 isn't one itself, but it's malicious because it facilitates the creation of a botnet -- a network of infected computers that can be used in concert to carry out tasks like distributed denial-of-service attacks (which have been used to take down many major servers, including The Pirate Bay, Twitter, Facebook, and in the past), the installation of adware and spyware, or spamming.”

Being a botnet, it really does not matter where the PC is physically located. “Organisations should pro-actively take measures on having the solution to detect and remediate the infected PCs fast enough. It is not only in the interest of the organisations' business but also involves legal penalisation, as the compromised PCs are actually used to launch the DDOS attacks. The code of TLD-4 is encrypted and, hence, it is difficult for the anti-virus vendors to give 100 per cent detection based on signature,” says Shahani.

Amit Nath, country manager (India and Saarc), Trend Micro, believes users in India, where the awareness level about security continues to be low, need not worry if they have proper protection in place, as TDL-4 is under surveillance across the globe. He says: “The TDSS gang has been busy capitalising on this worm to expand their botnet. Just recently, they have added a new trick to the worm. This time, it includes code, which turns the infected system into a Dynamic Host Configuration Protocol (DHCP) server, with a domain name system (DNS) setting that points to a malicious IP address.”

Computer security lax in India
India topped the charts for malicious traffic in Asia, producing more than Russia and China combined, according to security firm McAfee. Italy, Spain and India also had the lowest security adoption rates among 14 countries it ranked. Other security firms confirm that India has a poor online security record.

McAfee ranks India fourth in terms of lowest levels of security adoption after Brazil, France and Mexico, adopting only half as many measures as leading countries like China, Italy and Japan. It also says just 60 per cent of Indians deploy a threat monitoring service and use a software update and patch management service. More, in India and France, more than half of executives reported multiple large-scale distributed denial of service attacks every month. Such attacks can affect email connectivity, internet-based telephone systems and other operationally significant functions.

First Published: Wed, July 06 2011. 00:22 IST