Kaspersky has published a comprehensive analysis on one of the most sophisticated bots that can be found today, it is version 4 of TDL, a malicious program that first came to light in 2008.
During January, February, and March 2011, TDL4 is estimated to infect more than 4.5 million teams worldwide. This botnet installs all kinds of malware that allow you to earn money, such as fake antivirus programs, and it is also used to generate click fraud, ghost traffic, alteration of search results, among other bad things.
More than 1 million of these bots are in the United States, knowing what the affiliate systems pay for each thousand infected computers in that country (about 180 dollars and it is negotiable), in 3 months the cybercriminals may have earned more than 200 thousand dollars … and that is only for bot installations, the whole market around botnets can allow them to earn much more.
The following are some of its characteristics:
Version 3 was considered one of the best rootkits ever, these programs have the ability to hide themselves from antivirus and other malware. TDL3 also infected the boot sector (MBR) to run before system startup (bootkit), version 4 is better and has its own antivirus to eliminate competing bots like ZeuS, Gbot, among others of the best known .
It is controlled by a public P2P network and its own encryption algorithm for the connections between the infected computers and the control centers, this prevents the packets that are sent over the network from being analyzed, both for investigators and cybercriminals of the competition.
It includes a proxy module that takes advantage of infected computers to offer anonymous internet browsing (it is a service that other cybercriminals rent) and can also infect 64-bit Windows systems.
In the following Kaspersky articles you can find more information and details about the latest version of TDL and the previous ones:
– TDL4, the most sophisticated bot (read in English). – Review of previous versions of TDL (read in English).