New 'Indestructible' TDL Botnet Infects 4.5M PCs

Dennis Faas's picture

Around 4.5 million computers have been caught in a botnet that some experts are calling as good as indestructible. Others, however, say that's an exaggeration.

The botnet in question is named the TDL-4. In many senses, it's like any other botnet: once a computer becomes infected with malicious software, it is now controlled by remote and used for nefarious purposes.

Many times the zombie PCs in a botnet (also known as a "botnet army") are used to send bogus page requests to websites in an attempt to knock them offline --; referred to as a "denial of service attack", or "DDoS attack". Such attacks have successfully knocked out big name tech websites, including Mastercard, Twitter, Facebook, and others in the past. (Source:

Other times, botnets are used to send spam to millions of people, or possibly even monitor the host computer for passwords and financial information.

Instant-On Feature Bypasses Security Software

But with the TDL-4 botnet, there are several feature that differ from regular botnet, making it incredibly difficult to dethrone.

One feature is that the malware embeds itself in a section of the PC that allows it to start running virtually the moment a computer is switched on, making it almost impossible to catch and block with a Windows-based security software system.

TDL-4 also has a built-in virus removal program that removes other competing botnet software in order to monetize as much as possible. (Source: That tactic is designed to make it less likely that security software will flag any form of a problem whatsoever, reducing the chances that the user will take a close look at what should and shouldn't be on the machine.

TDL-4 Communication Encrypted, Peer-to-Peer Style

It's the communications system on the TDL-4 botnet that is most significant.

For one, the communications are heavily encrypted, making it harder to monitor activity. For another, the commands aren't sent from the botnet controllers to the infected computers through a straightforward connection, similar to a user browsing a website.

In the past, botnets could be severed if the main command-and-control machine was removed. This is no longer the case. Instead, instructions are transmitted through a peer-to-peer network, similar to those used for Bit Torrent file-sharing. (Source:

That means that if the communications are disrupted by officials, whether by taking legal control of domain names or physically seizing servers, the offenders can simply switch to a different machine on the network and re-establish communications. (Source:

'Indestructible Botnet' an Exaggeration, say Critics

Though these features mean TDL-4 is undoubtedly a serious problem, some tech bloggers have noted that even the most powerful viruses and other security threats have always been neutralized in the end.

And there are at least three ways in which a botnet of this kind could be defeated: there may be a flaw in the way the code is written, allowing it to be disrupted; the people behind the botnet could be traced and physically apprehended; or security software could be updated to track and block the virus widely enough that the botnet begins shrinking rather than expanding. (Source:

Rate this article: 
No votes yet