TDL4, also known as TDSS in some circles, is a Root Kit that targets the MBR (Master Boot Record) and is nearly impossible to remove. At one point, it was responsible for a botnet with more than 4 million hosts, earning the title of indestructible. Now, researchers at Damballa have discovered a new iteration of TDSS, which uses a new command and control (C&C) communication method that is helping it push a new click-fraud initiative.
To date, the latest variant of TDL4 uses a new DGA (domain generation algorithm) to communicate with its C&C servers. Tracking and research started in July, and after months of work, Damballa has released a report on their findings.
In the report, Damballa notes that since May of 2012, the new variant has already compromised at least 250,000 hosts, with victims including government agencies, 46 companies within the Fortune 500, and ISPs. Yet, that number may be too low the report notes, as the newest variant is adding more compromised hosts to its collection daily.
Moreover, there are 85 C&C servers available for TDL4 usage, with Russia, Romania, and the Netherlands accounting for the majority of the locations. Most of the compromised systems reside in the U.S., followed by Germany, Great Britain, Canada, and France. So far, there is little to no anti-virus detection for the variant.
The C&C traffic captured by the sinkhole used to track TDL4’s latest release also revealed new details of a click-fraud campaign, utilizing DGA-based C&C to report on successful click-fraud activity, the report notes. Among the top hijacked domains in the click-fraud initiative are Facebook.com, YouTube.com, Google.com, MSN.com, Yahoo.com, and DoubleClick.net.
"As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams," stated Dr. Manos Antonakakis, director of academic sciences for Damballa.
“By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic. With its known ability to act as a launch pad for other malware, and TDSS' history of sub-leasing access to their victims, these hidden infections in corporate networks that go undetected for long periods of time are the unseen time bombs that security teams work so hard to uncover.”
The full report is available here.