Analyzing the Indestructible Botnet

Researchers have recently been tracking a new version of the TDL botnet, which alternately goes by the name of TDSS or Alureon. This new variant has gotten a great deal of attention in the press for its new features that protect the botnet from a traditional decapitation take-down, such as Microsoft’s actions against the Rustock botnet earlier in the year. These features have led some to even refer to TDL-4 as “indestructible”.

While the news certainly sounds ominous, there is an important distinction here that needs to be called out. There is a very big difference between the way that the security industry goes about completely dismantling a botnet, versus the steps that an enterprise should use to protect itself from that same botnet. There are a whole host of challenges that make botnet takedowns very challenging, not the least of which is the need to take down the entire command and control infrastructure in a relatively short window of time. We discuss this challenge and a few others in our recent whitepaper on controlling botnets, which you can read here .

However, as enterprise security teams, we rarely get the opportunity to take down an entire botnet at the source. Instead we are often more locally focused on such things as preventing infections, finding users that are infected and limiting the scope of any damage. In short, our goal is not to be Eliot Ness out to take down Al Capone, but to prevent the crime coming in our front door. This is not to devalue in any way the good work that the industry is doing to take down botnets. This work is absolutely essential. However, these efforts do not replace our own responsibility to protect our users and networks from these threats on a daily basis. This area of enterprise network security is where there is actually some good news worth mentioning.

First and foremost, Palo Alto Networks has coverage for the TDL-4 botnet as part of the Threat Prevention module to directly protect against TDL-4 at the network level. This includes signatures for the infecting files, DNS behavior and command-and-control traffic. Secondly, the changes that we see in TDL-4 are well-known techniques that hackers and malware use to avoid security solutions, and that more importantly, can  be controlled with the next-generation firewall today. (Note: For a deep analysis of TDL-4 behavior, be sure to check out the excellent analysis from Kasperky Labs here). In particular, TDL-4 uses a specialized encryption to protect its network communications, it leverages a publicly available P2P network for command and control, and also has the option to install a proxy server on infected hosts to both protect communications and even offer an anonymous web-surfing service. So those of you who are familiar with the Palo Alto Networks next-generation firewall will quickly recognize that all of these components are items that we can identify and control at the firewall.

Proprietary encryption is certainly nothing new, and it is one of the reasons that heuristic analysis has been designed into the fabric of App-ID. This ability to identify encrypted traffic is a fundamental requirement for controlling applications such as BitTorrent and UltraSurf, which is we have been doing for years. We also have the ability to identify unknown encrypted traffic, which has already proven quite helpful in identifying end-user machines that are infected by a bot.

Additionally P2P applications and networks have long been associated with botnets. The difference here is how the bot is using the peer-to-peer network. The change is actually quite interesting – the bot has established a method for delivering configuration files via the P2P network and also to create a personalized P2P network that consists of only infected hosts. This last part essentially allows the P2P network to act as a distributed command and control infrastructure that could allow the botnet to survive even the loss of the true command and control servers. This is where the botnet gets its indestructible moniker. And once again, controlling unauthorized P2P usage is a basic function of the next-generation firewall. So while this development creates new challenges for completely defeating the botnet, it does not affect our ability to control the bot when on our enterprise networks.

Lastly, we can look at the use of proxies on infected machines. Obviously both users and hackers have been using proxies for quite some time to anonymize their traffic and circumvent various security controls. The interesting part here is that the botnet will install a proxy server on an infected machine and actually use that machine as part of an anonymous web-surfing service. This allows the criminal organization to essentially create and sell access to its own private Tor network. Here again, this use of unapproved proxies is something that the next-generation firewall can easily see and control.

So to summarize for a security manager, the response to the indestructible bot is largely the same as the response for other bots. Look for unknown encrypted traffic to identify a potentially infected host (use the behavioral botnet report to automate this analysis). Block any unauthorized use of peer-to-peer, and block any unauthorized use of proxies or other circumventing applications. While these actions may not make the botnet itself crumble, they will provide a way to control the risk on your network. We discuss these topics and a few more details on TDL-4 in the most recent Threat Review, which can watch here