Researchers discover first 64-bit botnet malware - more to come?

The fact that TDL4 - which some media reports are saying is one of the most serious threats seen to date - has infected some 4.5 million machines already, is a serious issue says David Harley, Eset's security fellow.

Harley notes that the fact that it is capable of attacking 64-bit machines makes it very unusual.

"The fact that someone has come up with 64-bit malware shows what innovation is happening in the world of malware," Harley told Infosecurity, adding that he fully expects to see more malware in the 64-bit category in the near future.

Harley and his team are working on a white paper on TLD4 which he says looks in some detail at the latest innovations, and is keen to point out its bootkit functionality.

Comparing it with other malware, he says, suggests that TLD4 does not simply borrow elements of darkware code from other botnet infections, but represents new code completely.

In a draft of Harley's white paper shown to Infosecurity - and which is being co-written by Eugene Rodionov, an Eset malware researcher and Aleksandr Matrosov, a senior malware researcher with the firm - the active spread of TDL4 started in August 2010 and since then several versions of the malware have been released.

"Comparing it with its predecessors, TDL4 is not just a modification of the previous versions, but new malware. There are several parts that have been changed, but the most radical changes were made to its mechanisms for self-embedding into the system and surviving reboot", says the paper.

"One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals", adds the paper.

The Eset research into TLD4 is confirmed by Kaspersky Lab's research into the botnet malware.

According to Computer Weekly, more than 4.5 million computers around the world have been infected by the TDL-4 virus, creating a potentially indestructible botnet.

The owners of TDL, says CW, are trying to create an indestructible botnet protected against attacks, competitors and antivirus companies.

CW cites researchers from Kaspersky Lab as saying that TDL and the botnet that unites all the computers it infects will continue to cause problems for users and IT security professionals alike.

A quarter of all infected computers are in the United States, worth $250,000, whilst just 5% of the infected computers are from the UK.

As with older versions of TDL, TDL4 is reported as being spread through affiliate programmes, which check the version of the operating system on a victim machine and then download TDL4 to the computer.
Affiliates receive between $20 to $200 for every 1,000 installations of TDL, claims Kaspersky.

Back at Eset, meanwhile, and Harley plus his team say that special attention has been paid in their research to the bootkit functionality which appeared in TDL4 and enabled it to begin its launch process before the operating system is loaded.

In addition, says the Eset white paper, TLD4 has the ability to load an unsigned kernel-mode driver - even on systems with kernel-mode code signing policy enabled - and by-passing kernel-mode patch protection mechanisms.

"These characteristics all make TDL4's a prominent player on the malware scene", notes the paper.

What’s hot on Infosecurity Magazine?