Page 1 of 1
The ‘indestructible’ botnet
Posted: Sun 03 Jul 2011, 22:11
by aarf
Posted: Mon 04 Jul 2011, 02:58
by Flash
....The way in which the new version of TDL works hasn’t changed so much as how it is spread - via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.
Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services
The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.....
....Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.
Why not Russia?
Posted: Mon 04 Jul 2011, 07:31
by nooby
How can a curious person find out if his computer is affected?
was it a Ms or some other big company or who was it that asked European Union to set up some test that the ISP would only allow a computer access if the owner could show that it was run with the prescribed anti virus and router settings and so on. A kind of certification of every computer before allowing them to run at all on the internet.
Would that stop the indestructable botnet?
Telling 4 million users to look for virus on their computers is not easy.
Them will not trust the warning or advice to be a fake and that they got a spam message instead.
Posted: Wed 13 Jul 2011, 10:09
by dru5k1
nooby wrote:How can a curious person find out if his computer is affected?
you can use f-prot or clamav
http://puppylinux.org/wikka/ClamAV, (these are mainly for usb-drives and suspect downloaded files (that you'll be sharing to someone's windows computer) though, and maybe windows hdds)
don't bother with rkhunter or chkrootkit on puppy, because they don't work
Posted: Wed 13 Jul 2011, 10:58
by nooby
Yes I tested one of these and them seems to give very many false positives.
I do have free AntiVirus on Windows but I never log in to windows so I guess them are a year old or something.
Fprot are them really known to have latest malware detection?
I mean more like what did happen to you. AFAIK none of those did warn you.
What you noticed was a slow down and then him told you about it.
Had him not revealed that he did it then you would still wonder what the slow down was about?
Posted: Wed 13 Jul 2011, 12:56
by dru5k1
no - I knew 'straight away' something was happening - puppy works FAST and almost never slows down
ok, so clamav can have false-positives, well fprot (in puppy-lucid repo -in puppy package manager) is said to have less, you can try that (I'm assuming you are using 5.25, some earlier versions of puppy I think have an fprot auto-installer - so if the puppy community decided that fprot was to be included it just may be better ryt?)
ontopic: good read. sophisticated stuff.
Posted: Wed 13 Jul 2011, 14:05
by nooby
Thanks dru5k1 , I am using Snow 5 that is based on many ideas but maily on Lupu 513 I guess. But sure I ahve 525 installed too so I could test Fprot on that one thanks for explaining how it works.