Malware descriptions

TDL-4 Indestructible or not???

Our analysis, “TDL4 – Top Bot” by Sergey Golovanov and Igor Soumenkov, has rightly been getting a lot of attention. It’s an excellent analytical article which uncovers a very sophisticated and complex malware TDL-4 which is the latest version of TDSS.

Some commentators and other security researchers however, focusing on our use of the word “indestructible” in the article, seem to think that we believe the malware is indestructible. This is clearly not the case – that’s why we put the word in inverted commas. In fact, our own TDSS Killer can remove the malware.

The key line from the article is, “The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.”

It is the botnet which the owners want to bullet proof. To help achieve this TDL-4 uses its own encryption algorithm for communication between infected computers within the botnet:

“The new protocol encryption algorithm for communications between the botnet control center and infected machines ensures that the botnet will run smoothly, while protecting infected computers from network traffic analysis, and blocking attempts of other cybercriminals to take control of the botnet.”

On top of this, it uses a publicly accessible file exchange network, the KAD network for peer to peer communications between infected computers. In this way even if the command and control servers are shut down the owners of the botnet will still be in control of the botnet.

Hopefully this has cleared up any misunderstandings relating to the article.

TDL-4 Indestructible or not???

Your email address will not be published. Required fields are marked *

 

Reports

GhostEmperor: From ProxyLogon to kernel mode

While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. With a long-standing operation, high profile victims, advanced toolset and no affinity to a known threat actor, we decided to dub the cluster GhostEmperor.

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

Subscribe to our weekly e-mails

The hottest research right in your inbox