Quite rightly, such notables as Paul Ducklin and our own Randy Abrams have poured scorn on the idea of the "indestructible botnet": indeed, Randy remarked:
"Calling the botnet indestructible is tantamount to calling the Internet unsustainable ... I suspect that, in time, we'll discover the 'T' in TDL stands for 'Titanic,' and a currently unseen iceberg will sink it."
I don’t think there’s such a thing as an indestructible botnet. TDSS is somewhat innovative. It's introduced new twists on old ideas like P2P networks and hiding malware - just as previous malware has used sectors marked as bad, slack space, or streams, TDL uses a hidden file system.
It's also very adaptive, and its use of Pay Per Install (PPI) business model rather like that used for distribution of browser toolbars via affiliates like DogmaMillions and GangstaBucks, as described in our article at http://resources.infosecinstitute.com/tdss4-part-1/, has been very effective - and so has ruthlessly eliminating some of the competition. But there is no indestructible malware. Rather, it's a war of attrition - threat, counterthreat, counter-counterthreat.... In the long run, though, the security community has one big advantage: it isn't also hiding from the law, and in fact, we sometimes cooperate very closely with law enforcement and other agencies.
The update of our comprehensive paper on TDL4 and its earlier incarnations has just become available on the ESET white papers page if you care to read more about how it really works.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow