Kaspersky Lab researchers have uncovered a super-botnet thought to have infected as many as 4.5 million devices so far in 2011, with 1.5 million of the infected IPs in the United States.
The massive botnet infection was achieved using TDSS rootkits, an ever-evolving malware class that targets Windows operating systems at the kernal level.
Late in 2010 a version of the TDSS rootkit exploit known as TDL4 or Alureon - and sometimes referred to as a "bootkit" - was developed which could manifest as an infection in the master boot record of an infected PC by using kernal-level code.
TDL4 finds opportunity where Microsoft allows the use of unsigned drivers by manipulating which programs the operating system recognizes as being permissible to do so.
Although there have been numerous patches released over the last two years to eliminate risks posed by TDSS rootkits, newer versions of the old foe keep surfacing faster than they can be mitigated.
“We don’t doubt that the development of TDSS will continue. Active reworkings of TDL-4 code, rootkits for 64-bit systems, the use of P2P technologies, proprietary anti-virus and much more make the TDSS malicious program one of the most technologically developed and most difficult to analyse," said Kaspersky researcher Sergey Golovanov.
Analysis of the malware indicates the code involved is highly sophisticated, evidence that cyber criminals are willing to devote considerable resources to development when there is the opportunity to readily profit from the endeavor.
The latest version of the TDL4 loader identified by Kaspersky labs, called Net-Worm.Win32.Rorpian, is now equipped with self-propagating capabilities and can disseminate through removable media in a similar as many other malware strains.
More uniquely, the new loader variant can also infect machines with the TDL4 through local area networks (LAN) by by creating a faux DHCP server and waiting for connected machines to request an IP address. The request triggers a DNS server to redirect the targeted machine to a malicious site for infection.
There is no doubt that the latest incarnation of the TDL4 equipped with these self-propagating features will ensure that the threat from TDSS rootkit will remain relevant for some time to come.
The developers of the malware hope that their focus on 64-bit versions of the malware will keep them ahead of researchers and antivirius software as more end users adopt 64-bit systems.
“Cybercriminals are trying to future-proof themselves. They know that a lot of systems are going to go 64-bit,” said fellow Kaspersky researcher Ram Herkanaidu.