TDSS: Political botnetsMy Russian colleagues Aleksandr Matrosov and Eugene Rodionov have been putting in some serious research in recent months on the TDSS/TDL family of malware, at present in what is generally considered to be its fourth incarnation. It seems that this highly adaptive malware has introduced a new wrinkle, a new plug-in that heralds a change of direction. Previously, TDL zombies have taken their instructions from a C&C server. However, Win32/Olmarik.AVA zombies communicate with each other using the Kademilia DHT (distributed hash table) peer-to-peer protocol. In this topography, each node is both a bot client and a C&C server.
Unfortunately (from our point of view), this makes the botnet much more resilient. The configuration information and payload are shared between all the compromised machines: You can't expect to disable some or all of the network by taking down “master” machines.
There's more technical detail on this latest variant here, but if you'd like more information on TDL in general, here are some resources:
· A paper by Aleks and Eugene on The Evolution of TDL: Conquering x64 (which is in the process of revision in order to accommodate the new information), and their article for Virus Bulletin on Rooting about in TDSS.
· A series of articles by Aleks, Eugene and myself at Infosecinstitute.com:
o TDSS part 1: The x64 Dollar Question
o TDSS part 2: Ifs and Bots
o TDSS part 3: Bootkit on the other foothttp://blog.eset.com/?s=tdss