Researchers from Kaspersky Labs claim to have discovered the most sophisticated piece of malware available on the Web. Detected by their antivirus product as TDSS, the Trojan employs a number of methods to avoid detection, including the use of encryption between the botnet command and control server and its zombies and a powerful rootkit component that conceals the presence other types of malware in a given system.
TDSS is a variation of the TDL virus, which has been known about since 2008. According to the researchers, malware writers have been making small changes to the TDL since its inception, but only in late 2010 did they start selling it in its current form.
“The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies,” the researchers said regarding the botnet that has already infected more than 4.5 million computers.
One of the keys to TDL’s obfuscation is that it is a bootkit, meaning that it runs its malicious code before the operating system starts, which makes the malware very difficult to detect by security products and greatly extends its life.
TDL is programmed to act as its own antivirus product, capable of removing 20 of the most popular malicious programs, including Gbot, ZeuS, Clishmic, and Optima. It removes competing malware so that users will be lulled into believing their machine is not infected, and therefore, they won’t go looking for any malware, and TDSS can remain hidden indefinitely.
More than a third of the TDSS infected computers are in the U.S., making it first among countries afflicted by TDSS infections. India and Indonesia come in a distant tie for second, laying claim to 7% of the infections each. With affiliates receiving as much as $200 for every 1000 American infections, this means that the infected computers in the US alone could have paid out as much as $250,000 to the TDSS creators.
For a (much) more in-depth analysis, you can read the entire Securelist report here.