One botnet to rule everyone - Alureon (TDL-4)

Every time another botnet is defeated by the joint efforts of private companies and government organizations, it is replaced by the next, more advanced and sophisticated one. As in the wild - among computer viruses and other malware, the strongest always wins.

Kaspersky Lab analyzed the activities of one of the most interesting botnets currently actively functioning - the so-called. Alureon, built on the basis of the TDL-4 rootkit (about which Eset recently wrote on Habré on its blog ). And there really is something to see here - after all, the architecture of the botnet and the underlying technology was instantly described by various Internet publications as “indestructible”. 4.5 million infected machines also give a hint of the strength of the architecture used.
')
Actually, TDL-4 was originally designed to avoid destruction or deletion - by law, anti-virus program or competing botnets. When installed, TDL-4 removes all other malicious software from the host computer so that the machine user does not notice the strange behavior of the machine and does not try to restore its normal operation. The goal is clear as daylight — the rootkit tries to remain inconspicuous, because in most situations it is the user, not the program, who notices changes in the operation of the computer (sharp “outliers” of data packets, reduced performance, etc.).

To make mimicry as effective as possible, a rootkit (or rather, a bootkit) infects the master boot record (MBR) partition responsible for loading the operating system. This means that the rootkit code is loaded before the OS, not to mention the anti-virus, which makes finding and deleting it even more non-trivial. TDL-4 also encrypts network traffic using SSL in order to avoid detection by other programs, both useful and malicious.

The most remarkable feature of Alureon is the use of the Kad decentralized P2P network (used, for example, eMule) for communication between nodes. With its help, the botnet creates its own network of infected machines, allowing them to exchange traffic without using central servers, as well as find new computers to expand the network.

This is done just to increase network resilience. After all, all previous attacks on botnets were carried out with the help of government organizations, cutting off command and control centers from work, found, as happened in the situation with Rustock, with the help of Microsoft, which determined the location of the central hubs. As a rule, there are usually not many such servers — several dozen, but it is through them that spam, DDOS attacks, etc. are managed. and they also represent the greatest vulnerability of any botnet.

Alureon stands out from the competition, firstly because it uses about 60 such centers, and secondly, it does not necessarily have their unshakable existence - the owner of the botnet can control the entire network even if the infected machines cannot “reach out” to servers, as it is built on the principle of peer-to-peer. Encryption allows you to hide them, and using a decentralized network to change the location of the central node.

Of course, rootkits used to build P2P networks in botnets before, but in very rare and exceptional situations their size was similar to what Alureon had grown to. This gives him not only flexibility in communication within the network, but also high resistance to destruction. Therefore, techniques used against other botnets may not have an effect against this individual.

Malicious software, by itself, spreads primarily through file-sharing and pornographic sites. Recently, another method was found to infect computers by creating a DHCP server that causes computers to use a malicious DNS server that directs network users to pages containing a rootkit. Another notable feature of the TDL-4 code (known as TDSS) is the “poisoning” of search engine results by creating additional proxy servers that load the program onto a computer.

In addition to classic services like spam and DDOS attacks, the operators of this botnet offer the exclusive opportunity to use any computer on the network as a proxy server, anonymizing Internet traffic. For only $ 100 a month, they will even provide you with a special Firefox plugin to make it easier to use such anonymous proxy system.

Destroying such a botnet will be a daunting task - its researchers are already talking about specially crafted requests to servers to get statistics on the number of infected computers - Kaspersky experts have found several databases located in Moldova, Lithuania and the United States that contain proxy servers on the basis of which the botnet functions .

Also in the comments to the work it is said that in the corporate network (using http \ https proxy) infected machines can be found using DNS server logs - the signal can be a DNS request from the machine to the proxy server (usually DNS requests come from the proxy server).

Kaspersky Lab via RRW via ArsTechnica