"The Most Destructive Virus Ever?"

When you see a headline such as this, it's usually written by a non-technical writer in the general media. Or it may come from the producer of rogue security software, trying to scare the reader into buying their bogus program.

But the most recent source of this description is Kaspersky Labs, the legitimate and usually sober producer of Kaspersky Anti-Virus and Kaspersky Internet Security software. One of their milder descriptions refers to this as "the most sophisticated threat today" and even uses the term "indestructible" to describe this infection.

So, what is this virus that warrants such hyperbole, and is it justified? Actually, it's the latest generation in a family of malware known as TDSS, or TDL, Rootkits. They are also sometimes referred to as Alureon or Tidserv. Different anti-virus vendors frequently assign different names to the same piece of malware.

The first generation of these rootkits appeared in 2008 as TDL1. These were not particularly widespread or difficult to detect and remove using traditional anti-virus programs. TDL1 evolved into TDL2, bringing more sophistication but still not a major challenge for vendors of security software or IT Support staff.

The game changed in 2010, though, when TDL3 rootkits appeared on the scene. These quickly became some of the most widespread viruses affecting mainstream computer users, and their advanced capabilities were more than traditional anti-virus software could handle.

The major payload, or objective, of these rootkits is to turn the infected computer into a member of a botnet, which can then be controlled by the producer of the virus. That individual, in turn, sells access to his network of hijacked computers, which can number into the thousands.

Because a rootkit "hides" in normal Windows system files, its presence is not easily detected by anti-virus software or manual inspection in Task Manager. Even after more than one year of experience with TDL3 infections in the wild, most anti-virus software vendors are still largely ineffective in detecting and removing these viruses.

And now the malware authors have graduated to TDL4 rootkits. First showing up in early 2011, this latest generation of TDSS infections retains all of the functionality of the TDL3 variants that preceded them. But they include some important additions that have made them much more difficult to detect and remove.

The most significant advance in TDL4 is the additional infection of the Boot Sector of the hard drive. So in addition to being a rootkit, a TDL4 virus is also a bootkit. The effect of this approach is that the virus is reloaded every time the computer is booted from the hard drive.

With the malicious code inserted at that basic level, the virus can block detection and thwart any efforts to remove it. Even software written specifically to scan for rootkits can be blinded to these infections as a result of the bootkit.

Those are some of the reasons Kaspersky has proclaimed TDL4 infections "The most destructive virus ever," and they estimate that some 4.5 million computers worldwide are currently infected by this type of virus. While there is no reliable way to confirm that number of infections, it seems like a reasonable number considering the spread of other successful viruses in the past.

Regardless of the actual number, it is clear that these rootkits represent a serious threat in today's computing environment. It is critical that IT Support professionals be aware of this malware and implement an effective methodology to deal with it.

Although removal of TDL4 malware can be challenging, it is fairly easy to determine whether a computer is infected by this class of virus. The behavior of TDL4 infections is similar to that of TDL3, showing the following symptoms:

  • Results of a Google search are redirected to unrelated sites
  • Trying to run Windows Updates manually fails, with an error code ending in ...0eff

As is the case with most malware, a Google search will reveal many solutions for this type of infection. And as is usually the case, these solutions range from worthless to incomplete, outdated, or outright scams. Some of the solutions offered will actually work, although they may be very tedious and time-consuming to implement.

The Virus Remediation Training includes detailed procedures and tools for removing TDL3 and TDL4 rootkit and bootkit infections, as well as traditional viruses, spyware, and rogue security programs such as Windows Recovery. As these threats evolve, the content of the workshop is continually updated to handle the latest variants.