TDL3 and ZeroAccess: More of the same?

This is going to be an interesting read

http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/

 

This seems possible.

 

If they're from the same team, then why do they kill each other?

 

Perhaps because TDL3 rootkits are being detected more and more but ZeroAccess not so much yet?
Then if an AV/AM would start warning over a TDL3 infection, users might full-format and remove ZeroAccess also?

 

Yes, that is why they remove each other. But you'd think that if they were the same team they'd find another solution. Perhaps not.

 

Rereading Marco Giuliani's article forces me to reconsider my notion of removal because of possible detection;

'...One of the downloaded plugins, called desktop.ini, dropped by the module driver called @800000c0, has an embedded anti-TDL specific routine, able to detect if the system is already infected by the TDL rootkit and, if it’s the case, the routine is going to disable it.

As malware analysts may recall, the TDL rootkit is comprised of two parts — the kernel mode driver which hides the rootkit on the disk, and the cmd.dll plugin. The latter part is the user mode part that is being injected inside the user mode processes. It acts as an ad-clicker and a fundamental bridge to the command and control server listed in the cfg.ini rootkit file.

Now, ZeroAccess’s search engine hijacker plugin is able to scan the virtual memory of the process where it resides, looking for TDL’s cmd.dll traces and, if found, automatically recovering the hidden disk path to it and overwriting its code with trash bytes along with the cfg.ini’s TDL configuration file. At the next start-up, the TDL rootkit is still active in kernel mode. However, its payload has been totally disabled, rendering it useless.'

If only the user-land payload is killed, detection of the rootkit isn't prevented.
So what's left? A PC park, infected with ZeroAccess and a useless rootkit that won't deliver a payload, and thus won't make any money anymore, and which can't be updated anymore?
The most logical, imho, seems a financial motive; to stop others making money. Did the original crew behind this variant sell it before starting with ZeroAccess? Perhaps a financial dispute there?
Any dispute with the 'ad-click paying party' would result in a simple C&C server update, right?
Nvm, I'll stop speculating, back to square one; I don't really get it.