In June 2011, the TDL4 botnet was made up of over 4.5 million infected computers. Because of the malware's advanced detection evasion techniques and its decentralized command and control infrastructure security researchers from antivirus vendor Kaspersky Lab called it an "indestructible botnet" at the time.
The Damballa researchers obtained a memory snapshot from a computer infected with the new threat that revealed pieces of code and configuration strings similar to those found in TDL4. This further strengthened their idea that the new threat is a new variant of TDL4. However, a definitive conclusion couldn't been reached because they were not able to obtain an actual binary sample of the threat.
In fact, "no one in the security community have been able to produce binary samples for the discovery we announced today -- and many 'insiders' have been privy to this discovery for over 2 months," the Damballa researchers said Monday in a blog post.
"If no samples exist (and we have tried for over 2 months to find them) then there are no signatures to block the malware or to scan potentially infected victim machines -- and network-based malware analysis solutions have apparently missed it too," the researchers said.
"This appears to be a kernel level root kit, attaches itself to iexplorer and it is very likely that the malware has MBR capabilities," Manos Antonakakis, director of academic sciences at Damballa, said Tuesday via email. "This would make it hard to detect for traditional AV. That would actually also explain the victim growth we observe for the sinkholing actions we made against a few of the DGA domain names."
However, Antonakakis agreed that it's possible that some antivirus products already detect this threat with a generic name based, for example, on behavioral criteria, and that researchers from those antivirus companies haven't yet analyzed those samples manually in order to find the connection to TDL4.
Kaspersky Lab researchers are currently looking into this case, but there is no information to share at this time, a Kaspersky Lab spokeswoman said Tuesday via email.