From the rootkit source sale, another called ZeroAccess allegedly rose, with added ClickFraud modules. A second ZeroAccess rootkit also added the ability to target and remove the TDL 3 rootkit using a specific module called anti-TDL.
"The original author of the TDL3 rootkit made two versions of TDL3. He kept the second version of the rootkit code for himself and sold the first version to the guys behind ZeroAccess," Jacques Erasmus of Webroot told The Register.
"TDL3 Authors sold a version of TDL3 sourcecode to ZeroAccess authors. Now ZeroAccess guys are double crossing the TDL3 author by uninstalling the TDL rootkit."
Such measures are becoming more common. TDL-4, which received considerable media attention recently, has the built in ability to remove a host of rival malware, such as ZeuS.