TDL-4 is endowed with an array of improvements over TDL-3 and previous versions of the rootkit, which is also known as Alureon or just TDL. As previously reported, it is now able to infect 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy, which was designed to allow drivers to be installed only when they have been digitally signed by a trusted source.
“The changes in TDL-4 affected practically all components of the malware and its activity on the web to some extent or other,” the Kaspersky researchers wrote in their report.
Like the Popureb trojan and the Torpig botnet (aka Sinowal and Anserin), it also infects the master boot record of a compromised PC’s hard drive, ensuring that malware is running even before Windows is loaded.
In the event there is a takedown of the 60 or more command and control servers used to maintain the TDSS botnet (hard but not impossible given the recent eradications of the Rustock and Coreflood botnets), the infected TDSS machines can receive instructions using a custom built Kad client.
The Kaspersky researchers were able to analyze the number of TDL-4 infections by exploiting a flaw that exposed three MySQL databases located in Moldova, Lithuania, and the US. Remarkably, the data revealed no Russian users, most likely because the affiliate programs that pay from $20 to $200 for every 1,000 TDSS infections don’t provide rewards for installations on computers based in Russia.
http://www.theregister.co.uk/2011/06/29/tdss_alureon_advances/