Computerworld posted a story this week about a new botnet, TDL-4, that is virtually indestructible. It is so sophisticated that it is almost impossible to defeat:
"TDL-4," the name for both the bot Trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said Kaspersky Labs researcher Sergey Golovanov in a detailed analysis Monday.
"[TDL-4] is practically indestructible," Golovanov said. Others agree.
"I wouldn’t say it’s perfectly indestructible, but it is pretty much indestructible," said Joe Stewart, director of malware research at Dell SecureWorks and an internationally-known botnet expert, in an interview today. "It does a very good job of maintaining itself."
Golovanov and Stewart based their judgments on a variety of TDL-4’s traits, all which make it an extremely tough character to detect, delete, suppress or eradicate.
For one thing, said Golovanov, TDL-4 infects the MBR, or master boot record, of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code is stored to bootstrap the operating system after the computer’s BIOS does its start-up checks.
Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system and more, importantly, security software designed to sniff out malicious code.
The article goes on to say that TDL-4’s strongest weapon is that the botnet nodes communicate with the C&Cs are public P2P networks, not closed networks that they had created in the past. Thus, if security researchers want to take down the P2P structure they would have to take down a lot of legitimate traffic as well. This is reputation hijacking and spammers have been doing it for years when they send out spam from Hotmail or Gmail IPs, host content on Blogspot, break into legitimate websites so that they serve malware, and so forth. This is the same thing except it piggybacks onto the public P2P communication channels.
Thus, the botnet is invisible to security software and if anyone wants to take it down, there’s too much collateral damage. If the C&Cs get taken down, the public channels can tell the nodes to update to the new C&Cs.
Alas, the botnet cannot be touched.
Or can it?
A couple of days ago, a lawyer in Microsoft disputed this claim; no botnet is indestructible. Also from Computerworld:
No botnet is invulnerable, a Microsoft lawyer involved with the Rustock takedown said, countering claims that another botnet was "practically indestructible."
"If someone says that a botnet is indestructible, they are not being very creative legally or technically," Richard Boscovich, a senior attorney with Microsoft’s Digital Crime Unit said Tuesday. "Nothing is impossible. That’s a pretty high standard."
"To say that it can’t be done underestimates the ability of the good guys," Boscovich said. "People seem to be saying that the bad guys are smarter, better. But the answer to that is ‘no.’"
"[Waledac] was a proof of concept that showed we are able to poison the peer-to-peer table of a botnet," Boscovich said.
"Each takedown is different, each one is complicated in its own way," said Boscovich. "Each one is going to be different, but that doesn’t mean that there cannot be a way to do this with any botnet."
The article goes on to say that one of the good guys secret weapons is the relationships that have been cultivated during the past few takedowns amongst security researchers. Taking down a botnet requires a major coordination effort amongst several parties – private industry (usually two of three different companies) and law enforcement. Once a company does it, and then twice, they start to get into a rhythm. Once that process has been done a few times and the major players know what they are doing, it gets easier the next time.
Not only that, but Microsoft obtained legal clearance to shut down Rustock. Precedent has been set once before and this case law can be used to do it again in the future.
That’s not to say that taking down a botnet is easy. It isn’t. In fact, it is getting more difficult because botnet operators are trying harder to stay under the radar. But to suggest that their activities cannot be tracked, traced or disrupted is incorrect. Everything is traceable if you’re willing to go back far enough. And botnet operators cannot be too small otherwise it destroys their cost model: you need to move a lot of product because the conversion rate of spam or malware is so low… unless you do phishing but even then you have to succeed regularly. But if you succeed regularly, eventually you start to attract attention. When that happens, it is no longer easy to hide in the shadows.
Sometimes in legitimate business, a company can grow too fast and bring about its own downfall (doing things on a large scale is far different than doing them on a small scale but if you want to make the big money, you have to scale up). If a botnet operator wants to make the big money, paradoxically, that success can lead to its downfall.
We can only hope.