wsj.com - 7/1/2011
Ben Rooney
A virtually indestructible botnet malware has ensnared more than four million PCS globally in the first three months of 2011, according to Kaspersky Labs, which described it as the 'most sophisticated threat' to computer security today.
In a posting on their blog, the Moscow-based anti virus firm described the malware as 'the most sophisticated threat today'. It is a variant of a virus known as TDSS, which Kaspersky has numbered TDL-4.
TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center. TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.
The post goes into great detail on the technical specifications of the sophisticated malware that communicates using encrypted messages and relays messages through proxy servers to protect the command and control servers.
Once infected, the target PC joins this ever-growing botnet. A botnet is a network of infected computers that can be used, without the owners knowledge, to flood spam messages or launch attacks on other computers. Botnets are controlled by command and control servers. In the past law enforcement agencies have targeted these servers, successfully taking control of the botnet away from the cybercriminals. In this case the virus authors have taken steps to protect their network.
The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.
The malware infects the master boot record, the part of the PC system that boots first before the operating system loads. By getting in so early in the computers cycle, the virus can exert control far more easily, making it easier for it to avoid detection and to disable counter-measures. It also takes steps to stop other viruses from attacking the same computer.
TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
Most of the more than 4.5 million victims, 28%, are in the U.S. but Kaspersky reports significant numbers in India (7%) and the U.K. (5%). France, Germany, Mexico and Canada all played host to about 3% of infections each.
Ensure your Computer is safe!
Get Help At GeeksOnCall.com
Or Call Toll Free
1-800-905-4335
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment