One botnet to rule all - Alureon (TDL-4)
Each time the next botnet is defeated by the joint efforts of private companies and government organizations, it is replaced by the next, more advanced and sophisticated one. As in the wild - among computer viruses and other malware, the strongest always wins.
Kaspersky Lab analyzed the activities of one of the most interesting botnets that are actively functioning at present - the so-called Alureon, built on the basis of the rootkit TDL-4 (which I recently wrote about on Habré on my blogEset company). And there is really something to see here - after all, the architecture of the botnet and the underlying technology was instantly characterized by various Internet publications as “indestructible”. 4.5 million infected machines also hint at the strength of the architecture used.
Actually, TDL-4 was originally designed to avoid destruction or deletion - by law, an antivirus program, or competing botnets. Upon installation, TDL-4 will remove all other malicious software from the host computer so that the user of the machine does not notice the strange behavior of the machine and does not try to restore its normal operation. The goal is clear as a white day - the rootkit tries to remain inconspicuous, because in most situations it is the user, not the program, who notices changes in the computer (sharp “outbursts” of data packets, decreased performance, etc.).
In order for mimicry to be as effective as possible, the rootkit (or rather, the bootkit) infects the partition of the master boot record of the hard disk (MBR) responsible for loading the operating system. This means that the rootkit code is loaded even before the OS, not to mention the anti-virus, which makes finding and removing it an even more non-trivial task. TDL-4 also encrypts network traffic using SSL in order to avoid detection by other programs, both useful and malicious.
Alureon’s most notable feature is the use of Kad’s decentralized P2P network(used, for example, by eMule) to communicate between nodes. With its help, the botnet creates its own network of infected machines, allowing them to exchange traffic without using central servers, and also finds new computers to expand the network.
This is done just to increase the stability of the network. After all, all previous attacks on botnets were carried out with the help of government organizations, disconnecting command and control centers from work, found, as happened in the situation with Rustock, with the help of Microsoft, which determined the location of the central nodes. As a rule, there are usually not very many such servers - several dozen, but it is through them that spam, DDOS attacks, etc. are managed. and they represent the greatest vulnerability of any botnet.
Alureon stands out from its competitors, firstly by the fact that it uses about 60 such centers, and secondly, it doesn’t need their unshakable existence - the botnet owner can control the entire network even if infected machines cannot get through to servers, since it is built on the principle of peer-to-peer. Encryption allows you to hide them, and using a decentralized network allows you to change the location of the central node.
Of course, rootkits used to use P2P networks to build botnets, but in very rare and exceptional situations their size was similar to how much Alureon grew. This gives him not only flexibility in communication within the network, but also high resistance to destruction. Therefore, techniques used against other botnets may not have an effect against this individual.
Malicious software, in itself, is distributed primarily through file-sharing and pornographic sites. Recently, another way was found to infect computers by creating a DHCP server that forces computers to use a malicious DNS server that directs network users to pages containing a rootkit. Another noteworthy feature of the TDL-4 code (known as TDSS) is the “poisoning” of search engine results by creating additional proxy servers that download the program to the computer.
In addition to classic services like spam and DDOS attacks, the operators of this botnet offer an exclusive opportunity to use any computer on the network as a proxy server that anonymizes Internet traffic. For only $ 100 per month, you will even be provided with a special Firefox plugin to make it easier to use such an anonymous proxy system.
Destroying such a botnet will not be an easy task - its researchers are already talking about specially designed server requests to obtain statistics on the number of infected computers - Kaspersky experts found several databases located in Moldova, Lithuania and the USA that contain proxies based on which the botnet operates .
Also, in the comments to the work, it is said that in a corporate network (using http \ https proxy) infected machines can be found using the DNS server logs - a signal can be a DNS query from the machine to the proxy server (usually DNS queries come from a proxy server).
Kaspersky Lab via RRW via ArsTechnica