The botnet also uses the public Kad P2P network for one of its two channels for communicating between infected PCs and the C&C servers, said Kaspersky. Previously, botnets that communicated via P2P used a closed network they had created.
By using a public network, the criminals insure their botnet will survive any take-down effort.
"Any attempt to take down the regular C&Cs can effectively be circumvented by the TDL group by updating the list of C&Cs through the P2P network," said Schouwenberg. "The fact that TDL has two separate channels for communications will make any take-down very, very tough."
Kaspersky estimated that the TDL-4 botnet consists of more than 4.5 million infected Windows PCs.
TDL-4's rootkit, encryption and communication practices, as well as its ability to disable other malware, including the well-known Zeus, makes the botnet extremely durable. "TDL is a business, and its goal is to stay on PCs as long as possible," said Stewart, citing the technologies that make the botnet nearly impossible to knock offline.
Stewart wasn't shocked that the TDL-4 botnet numbers millions of machines, saying that its durability contributed to its large size.
"The 4.5 million is not surprising at all," Stewart said. "It might not have as high an infection rate as other botnets, but its longevity means that as long as they can keep infecting computers and the discovery rate is small, they'll keep growing it."
Stewart pointed out that TDL-4's counter-attacks against other malware was another reason it's so successful.
"That's so smart," he said, adding that disabling competing malware -- which likely is much easier to detect -- means it has an even better chance of remaining on the PC. If other threats cause suspicious behavior, the machine's owner may investigate, perhaps run additional security scans or install antivirus software.
TDL-4's makers use the botnet to plant additional malware on PCs, rent it out to others for that purpose and for distributed denial-of-service (DDoS) attacks, and to conduct spam and phishing campaigns. Kaspersky said TDL-4 has installed nearly 30 different malicious programs on the PCs it controls.
But it's able to remove any at will. "TDL-4 doesn't delete itself following installation of other malware," said Golovanov. "At any time [it] can ... delete malware it has downloaded."
This is one dangerous customer, Stewart concluded.
"For all intents and purposes, [TDL-4] is very tough to remove," Stewart said. "It's definitely one of the most sophisticated botnets out there."
Sign up for Computerworld eNewsletters.