http://www.securelist.com/en/analysi...0/TDL4_Top_Bot
In early 2009 I was asked by a friend to find out why his Windows XP was taking so long to boot and running so slow. His AV was active and up to date. Except for the usual trash the CCleaner removes, I could find nothing. So, I booted a LiveCD and mounted the Windows partition. Files that never appeared using Windows Explorer were plainly visible with Dolphin. It was a keyboard logger. They had to go change their bank account info immediately and the passwords to any important web sites.
Removing the bad files and rebooting I quickly discovered that the malware files were back, even though the Internet was not connected. To me, that meant only two possible routes, the MBR or the phantom "D" drive where the repair image of Windows resides. Turns out the malware was in both places. Since he did not have a secure copy of the MBR record, I told him that the only way I could clean his machine was to totally scrub the drive, including the MBR, which meant that he'd lose his Windows installation, since Microsoft no longer included an Install disk in their package. IF he purchased a new copy the odds were that the same AV software which let the malware in would let it in again. His best, and most affordable, solution was to give Kubuntu the entire drive. He did, and he's never been bothered by viruses or Trojans since then.
Just as a reminder, last year a group of bad guys decided to capture some Linux boxes to use as command and controls for the Windows bot farms. It took them 6 months of brute force manually attacks to acquire 700 Linux boxes. It took the bad guys controlling the TDL-4 only 3 months to capture over 4 million Windows boxes. IF Linux were as equally susceptible to these kinds of attacks then over 600,000 of those zombies should be Linux boxes, but they are not.
...
TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
...
Command and control server statistics
Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
TDL-4 is a bootkit, which means that it infects the MBR in order to launch itself, thus ensuring that malicious code will run prior to operating system start. This is a classic method used by downloaders which ensures a longer malware lifecycle and makes it less visible to most security programs.
TDL nimbly hides both itself and the malicious programs that it downloads from antivirus products. To prevent other malicious programs not associated with TDL from attracting the attention of users of the infected machine, TDL-4 can now delete them. Not all of them, of course, just the most common.
...
Command and control server statistics
Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
Removing the bad files and rebooting I quickly discovered that the malware files were back, even though the Internet was not connected. To me, that meant only two possible routes, the MBR or the phantom "D" drive where the repair image of Windows resides. Turns out the malware was in both places. Since he did not have a secure copy of the MBR record, I told him that the only way I could clean his machine was to totally scrub the drive, including the MBR, which meant that he'd lose his Windows installation, since Microsoft no longer included an Install disk in their package. IF he purchased a new copy the odds were that the same AV software which let the malware in would let it in again. His best, and most affordable, solution was to give Kubuntu the entire drive. He did, and he's never been bothered by viruses or Trojans since then.
Just as a reminder, last year a group of bad guys decided to capture some Linux boxes to use as command and controls for the Windows bot farms. It took them 6 months of brute force manually attacks to acquire 700 Linux boxes. It took the bad guys controlling the TDL-4 only 3 months to capture over 4 million Windows boxes. IF Linux were as equally susceptible to these kinds of attacks then over 600,000 of those zombies should be Linux boxes, but they are not.
Comment