The TDSS botnet, now in its 4th generation, is seriously sophisticated malware, which is why we’ve spent so much time writing about it: the revision of the paper The Evolution of TDL: Conquering x64 that will be up on the white papers page shortly runs to 54 pages and includes some highly technical analysis, including the detail on the recent plugin described in a blog earlier today. So how does this new component actually work?
When a PC is infected by a bot, it becomes part of a network of other compromised machines which we call a botnet. So now the criminal who is managing the botnet needs to be able to issue instructions to the malware on each infected machine (zombie). And, of course, communication often needs to go the other way: depending on what the botnet is being used for, it may well have to return data to the “botmaster”. A very common way of implementing two-way communication is by setting up some machines as “Command & Control” (C&C) server: this is a malicious version of the client/server model, where a single server may provide services to many client PCs. And it still works very well, but there is a drawback to this approach, as far as the criminals are concerned.
If we’re able to trace and close down some or all of the C&C servers which are supplying information to the infected “zombie” PCs and telling them what to do, then we cut the head off the dragon: the zombies that rely on a server for their instructions are no longer able to carry out the wishes of the botmaster. (Or dragonmaster, if you prefer.)
Using the Kademilia protocol described in our previous blog, the botmaster is able to get round the weakness of the C&C approach, using a sort of collective consciousness approach where infected machines are both zombie and C&C server, or you might say both client and server. All botnets use a perverted form of distributed processing, but this approach makes good use of distributed data, too.
Rather than having a few machines with all the information and running the show, the information is shared between all the machines in the network. Even though individual machines are joining the botnet and others are dropping out, it doesn’t particularly matter: a zombie can get the information it needs from its neighbours, and it knows where they are because it keeps a sort of virtual phonebook hidden on the hard disk.The only time it needs to contact the C&C server is when the number of neighbouring nodes drops below ten: a bit like a householder who realizes that his neighbours are all moving away and he needs to order a new telephone directory.
This doesn’t make TDL4 invulnerable, by any means, but it does mean that it’s harder to disable large swatches of the botnet at a stroke. But no-one ever said that TDSS, with its tricks for infecting 64bit systems and knocking out the competition, was easy to deal with.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Leave a reply