TDL-4 is sophisticated malware that facilitates the creation and maintenance of a botnet. The program is the fourth generation of the TDL malware, which was itself based on an earlier malicious program known as TDSS or Alureon. Like other botnets, the TDL network is used for spam and malware dissemination, denial of service (DOS) attacks, password theft and other types of online fraud.
TDL-4 typically infects a computer via a drive-by download through a questionable website, often a distributor of pornography or pirated media. The malware uses a multi-pronged approach that makes it especially difficult to detect and defend against.
Infection spreads rapidly through peer-to-peer networks and the botnet control instructions are also passed from one peer to another. Botnets are usually controlled by just a few servers. The decentralized approach used by TDL-4 – sometimes called a serverless or peer-to-peer botnet – makes it almost impossible to track the source.
Once TDL-4 has installed, it downloads more malware and crimeware programs to the host computer. The software searches the system for any competitor’s malware and removes it. The malware also uses an encryption algorithm to hide its communications from traffic analysis tools that are sometimes used to detect suspicious transmissions. Furthermore, because it installs to the master boot record (MBR), it can begin to run even before the host boots up.
According to Sergey Golovanov and Igor Soumenkov of Kaspersky Labs, TDL-4 is “the most sophisticated threat today” and “practically indestructible.”
In the first three months of 2011, about 4.5 million computers were infected by TDL-4, approximately a third of which are in the United States.