TDSS aka TDL is a professionally written toolkit designed for profit. To infect as many computers with TDSS as possible, the authors of TDSS/TDL pay affiliates anywhere from $20 to $200 per 1,000 bot infected PCs (based on analysis performed by Kaspersky). The author(s) of TDSS then make their money by leasing the TDSS-infected computers (bots) to others.
The core functionality of TDSS / TDL is its ability to effectively hide itself on victim computers in order to maintain continuous control. This includes the ability to hide registry keys, files, and ports, and its ability to inject code into critical system processes and memory. More recent versions of TDL-4 infect the Master Boot Record (MBR) thus enabling the malware to gain control of the system at bootup.
In addition, more recent versions of TDL-4 include the ability to propagate via autorun (i.e. removable media such as USB / Flash drives; to prevent, see "How to Disable Autorun"), and via a form of ARP poisoning in which the infected machine enters a race condition in order to declare itself as the DHCP server on the network segment. This latter method can be avoided via a method known as DHCP Snooping.
If the TDL-infected machine is able to declare itself the DHCP server, instead of the legitimate DNS server address other networked computers will be passed a malicious IP addresses instead. Attempts to access the Web will then result in a 404 error and the display of a specially configured 404 page which erroneously claims:
The page does not support your version of broswer.
Please update your software
Clicking the "Browser update" button downloads the TDL malware which, if opened, spreads the TDSS / TDL infection to the new machine. The newly bot-infected PC then also drops the autorun infectors to any removable media and also attempts to spoof the DHCP server, thus furthering the propagation potential across the network.
Beyond infecting, hiding, and propagating, TDSS / TDL infected computers are then leased to other attackers who may have any number of intentions. This could include downloading other malware, using the infected computers for spam relay, turning the infected machines into anonymous proxies to enable other illicit actors to surf the Web disguised by your IP, etc.
In addition, TDL-4 includes the ability to remove other malware, which not only enables the TDSS attackers to avoid competition from other malware actors, it also further reduces the likelihood of the machine being cleaned due to the presence of some other infection.
TDL-4 also includes the ability to communicate via the Kad P2P file sharing network. Within Kad, all computers serve as both client and server. A nodes.dat files is used to determine the topology of the network. In theory, the TDL attackers could manipulate the nodes.dat file to segregate the TDSS / TDL infected bots from other computers on the Kad P2P network.
Obviously command and control via the Kad P2P network also makes it more efficient for downloading other malware onto the TDL bot infected PCs. It also means the TDL bot infected computers could serve as unwitting hosts to illicit files, including malware binaries, illegal content such as child pornography or copyright-protected music and movies, or serve as hosts for stolen information such as databases containing stolen usernames and passwords, etc.
The distributed nature of the Kad P2P network also makes it easier to maintain command & control as there is no centralized server to be shutdown. The combination of sophisticated techniques used by TDSS / TDL enables the attackers to create and manage a botnet that - while not indestructible per se - is certainly very difficult to dismantle.
Detection and Removal
TDSS / TDL has many built-in mechanisms to avoid detection and prevent removal. Chances are that your installed antivirus software may not detect or fully remove the threat. To detect and remove the TDSS / TDL malware, use the free Kaspersky TDSSKiller.
More Information:
For a complete description of TDSS and its many renditions, you're encouraged to read the following Kaspersky Labs analyses and blog posts: