Sorry, but the TDL botnet is not 'indestructible'

Malware and alarmism over its proliferation are nothing new -- and the latest boot-sector rootkit will be cured soon enough

The sophistication of the TDL rootkit and the global expanse of its botnet have many observers worried about the antimalware industry's ability to respond. Clearly, the TDL malware family is designed to be difficult to detect and remove. Several respected security researchers have gone so far as to say that the TDL botnet, composed of millions of TDL-infected PCs, is "practically indestructible."

As a 24-year veteran of the malware wars, I can safely tell you that no threat has appeared that the antimalware industry and OS vendors did not successfully respond to. It may take months or years to kill off something, but eventually the good guys get it right.

This isn't the first time we're supposed to be scared of MBR (master boot record)-infecting malware. In 1987, well before the days of the Internet, the Stoned boot virus infected millions of PCs around the world. Subsequent "improvements" in hacking allowed malware authors to create DOS viruses that could manipulate the operating system to hide themselves from prying eyes. (Actually, the first IBM PC virus, Pakistani Brain did this in 1986, too.) Computer viruses became encrypted and polymorphic, and they started taking data hostage.

With each ratcheting iteration of new malware offense, you had analysts and doomsayers predicting this or that particular malware program would be difficult to impossible to defend against. But each time the antimalware industry and other software vendors responded to defang the latest threat. Yesterday's indestructible virus became tomorrow's historical footnote.

Even today's malware masterpiece, Stuxnet -- as perfect as it is for its intended military job -- could be neutralized if it became superpopular. Luckily, military-grade worms are few and far between, so most users don't have to suffer while waiting for defenses to be developed.

The truth is, like every other malware family variant, TDL and its botnet will probably be around for years to exploit millions of additional PCs. But it didn't take an advanced superbot to do that. Take a look at any monthly WildList tally. It always contains malware programs written years ago.

Today, almost every malware program lives in perpetuity, dying off only when the exploited program or process dies with it. Boot viruses from the 1980s and 1990s didn't stop being a threat until floppy disks and disk drives went away. Macro viruses didn't die until people stopped writing macros and Microsoft Office disabled automacros by default.

No, what really bothers me more are the malware programs that do something completely new because it takes so much longer for antimalware programs, software vendors, and users to adapt to the tactic. For instance, it took us years to teach folks not to open every file attachment to defeat email viruses and worms -- but it takes the bad guys only a few minutes to change strategies. Today, we need to tell folks not to click on the Internet link emailed to them by a trusted friend and not to install random applications sent to them in Facebook or through their mobile phone.

But our biggest threat is an MBR PC-infector? Been there, done that.

This article, "Sorry, but the TDL botnet is not 'indestructible'," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.


Copyright © 2011 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!