Related Links

  • Avecto
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Related Stories

  • Conficker back in top three malware chart
    The July security threats analysis from Eset claims that the infamous Win32/Conficker - along with INF/Autorun and in32/Sality - headed the top three malware chart for the month.
  • Android malware levels steadily increasing
    A researcher with ESET says that his firm has identified that the volume and incidence of malware seen on the Android smartphone and tablet platform are increasing. Cameron Camp, from the East European IT security vendor, says malware authors are ramping up their output to account for the take-up of Android devices amongst end users.
  • Researchers discover first 64-bit botnet malware - more to come?
    Researchers with Kaspersky Lab and Eset have discovered a new type of botnet malware called TDL4 which, as well as featuring bootkit functionality and the ability to neutralise competing malware such as Zeus, can infect both 32- and 64-bit machines.
  • "Android is terrifying" says ESET's David Harley
    David Harley, ESET's senior researcher fellow, is hosting a presentation on the mysteries of the Stuxnet malware on day one of the Infosecurity Europe show next month, and Infosecurity got a chance to talk to him about the latest trends in malware.
  • Twitter short URLs still problematic
    The January 2011 threats report from ESET claims that Twitter users are too trusting and regularly click through to unknown short URLs, even when, for example, a short link comes in from a trusted source.

Top 5 Stories


TDL4 botnet may be available for rent

27 October 2011

ESET's senior research fellow David Harley says that, while his team of researchers have been tracking the TDL4 botnet for some time, they have noticed a new phase in its evolution.

These changes, he noted, may signal that either the team developing the malware has changed or that the developers have started selling a bootkit builder to other cybercriminal groups on a rental basis.

The dropper for the botnet, he asserted, sends copious tracing information to the command-and-control server during the installation of the rootkit onto the system. In the event of any error, he said, it sends a comprehensive error message that gives the malware developers enough information to determine the cause of the fault.

All of this, wrote Harley in his latest security posting, suggests that this bot is still under development.

“We also found a form of countermeasure against bot trackers based on virtual machines: during the installation of the malware it checks on whether the dropper is being run in a virtual machine environment and this information is sent to the command-and-control server. Of course, malware that checks on whether it is running in a virtual environment is far from unusual in modern malware, but in this form it's kind of novel for TDL”, he said.

On of the most interesting evolutions of the botnet, Infosecurity notes, is that the layout of the hidden file system has been changed also.

In contrast to the previous version, which Harley said is capable of storing at most 15 files – regardless of the size of reserved space – the capacity of the new file system is limited by the length of the malicious partition.

The file system presented by the latest modification of the malware is more advanced than previously, noted Harley, adding that, as an example, the malware is able to detect corruption of the files stored in the hidden file system by calculating its CRC32 checksum and comparing it with the value stored in the file header.

In the event that a file is corrupted it is removed from the file system.

Over at Avecto, Mark Austin, the Windows privilege management specialist, said that the removal of admin rights can add an extra layer of defence in the ongoing battle against the malware coders.

“TDL-4 is a damaging piece of code that takes the competitor-removing aspects of darkware we saw with SpyEye – and its ability to detect and delete Zeus – and adds all manner of evasive technologies that make conventional pattern/heuristic analyses a lot more difficult”, he explained.

The removal of admin rights, he went on to say, is a powerful option as part of a multi-layered IT security strategy in the constant battle against darkware in all its shapes and forms.

“Even if you are unfortunate to find one or more user accounts have been compromised by a phishing attack, for example, the fact that the account(s) are limited in what they can do helps to reduce the effects of the security problem”, he added.

Malware like this, said Austin, is almost certain to evolve, with cybercriminals repurposing elements of what is essentially a modular suite of malware, adding enhancements to certain features, deleting older code, and adding new elements to take advantage of newly-discovered attack vectors.

“It isn't rocket science that will defeat new evolutions of existing malware – or for that matter completely new darkware code. What is needed is a carefully planned strategy, with well thought out implementations that use multiple elements of security which, when combined, are greater than the sum of their components”, he said.

“Privileged account management can greatly assist IT professionals in this regard, as it adds an extra string to their defensive bow. This is all part of the GRC – governance, risk management and compliance – balancing act that is modern IT security management”, he added.

This article is featured in:
Application Security  •  Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×