The ‘indestructible’ botnet
Why not Russia?....The way in which the new version of TDL works hasn’t changed so much as how it is spread - via affiliates. As before, affiliate programs offer a TDL distribution client that checks the version of the operating system on a victim machine and then downloads TDL-4 to the computer.
Affiliates receive between $20 to $200 for every 1,000 installations of TDL, depending on the location of the victim computer. Affiliates can use any installation method they choose. Most often, TDL is planted on adult content sites, bootleg websites, and video and file storage services
The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other. The malware writers extended the program functionality, changed the algorithm used to encrypt the communication protocol between bots and the botnet command and control servers, and attempted to ensure they had access to infected computers even in cases where the botnet control centers are shut down. The owners of TDL are essentially trying to create an ‘indestructible’ botnet that is protected against attacks, competitors, and antivirus companies.....
....Despite the steps taken by cybercriminals to protect the command and control centers, knowing the protocol TDL-4 uses to communicate with servers makes it possible to create specially crafted requests and obtain statistics on the number of infected computers. Kaspersky Lab’s analysis of the data identified three different MySQL databases located in Moldova, Lithuania, and the USA, all of which supported used proxy servers to support the botnet.
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
Nearly one-third of all infected computers are in the United States. Going on the prices quoted by affiliate programs, this number of infected computers in the US is worth $250,000, a sum which presumably made its way to the creators of TDSS. Remarkably, there are no Russian users in the statistics. This may be explained by the fact that affiliate marketing programs do not offer payment for infecting computers located in Russia.
How can a curious person find out if his computer is affected?
was it a Ms or some other big company or who was it that asked European Union to set up some test that the ISP would only allow a computer access if the owner could show that it was run with the prescribed anti virus and router settings and so on. A kind of certification of every computer before allowing them to run at all on the internet.
Would that stop the indestructable botnet?
Telling 4 million users to look for virus on their computers is not easy.
Them will not trust the warning or advice to be a fake and that they got a spam message instead.
was it a Ms or some other big company or who was it that asked European Union to set up some test that the ISP would only allow a computer access if the owner could show that it was run with the prescribed anti virus and router settings and so on. A kind of certification of every computer before allowing them to run at all on the internet.
Would that stop the indestructable botnet?
Telling 4 million users to look for virus on their computers is not easy.
Them will not trust the warning or advice to be a fake and that they got a spam message instead.
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
you can use f-prot or clamav http://puppylinux.org/wikka/ClamAV, (these are mainly for usb-drives and suspect downloaded files (that you'll be sharing to someone's windows computer) though, and maybe windows hdds)nooby wrote:How can a curious person find out if his computer is affected?
don't bother with rkhunter or chkrootkit on puppy, because they don't work
Yes I tested one of these and them seems to give very many false positives.
I do have free AntiVirus on Windows but I never log in to windows so I guess them are a year old or something.
Fprot are them really known to have latest malware detection?
I mean more like what did happen to you. AFAIK none of those did warn you.
What you noticed was a slow down and then him told you about it.
Had him not revealed that he did it then you would still wonder what the slow down was about?
I do have free AntiVirus on Windows but I never log in to windows so I guess them are a year old or something.
Fprot are them really known to have latest malware detection?
I mean more like what did happen to you. AFAIK none of those did warn you.
What you noticed was a slow down and then him told you about it.
Had him not revealed that he did it then you would still wonder what the slow down was about?
I use Google Search on Puppy Forum
not an ideal solution though
not an ideal solution though
no - I knew 'straight away' something was happening - puppy works FAST and almost never slows down
ok, so clamav can have false-positives, well fprot (in puppy-lucid repo -in puppy package manager) is said to have less, you can try that (I'm assuming you are using 5.25, some earlier versions of puppy I think have an fprot auto-installer - so if the puppy community decided that fprot was to be included it just may be better ryt?)
ontopic: good read. sophisticated stuff.
ok, so clamav can have false-positives, well fprot (in puppy-lucid repo -in puppy package manager) is said to have less, you can try that (I'm assuming you are using 5.25, some earlier versions of puppy I think have an fprot auto-installer - so if the puppy community decided that fprot was to be included it just may be better ryt?)
ontopic: good read. sophisticated stuff.