Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New TDL4 Variant Discovered – 250,000 Systems Infected So Far

TDL4, also known as TDSS in some circles, is a Root Kit that targets the MBR (Master Boot Record) and is nearly impossible to remove. At one point, it was responsible for a botnet with more than 4 million hosts, earning the title of indestructible. Now, researchers at Damballa have discovered a new iteration of TDSS, which uses a new command and control (C&C) communication method that is helping it push a new click-fraud initiative.

TDL4, also known as TDSS in some circles, is a Root Kit that targets the MBR (Master Boot Record) and is nearly impossible to remove. At one point, it was responsible for a botnet with more than 4 million hosts, earning the title of indestructible. Now, researchers at Damballa have discovered a new iteration of TDSS, which uses a new command and control (C&C) communication method that is helping it push a new click-fraud initiative.

TDL4 / TDSS Malware VariantTo date, the latest variant of TDL4 uses a new DGA (domain generation algorithm) to communicate with its C&C servers. Tracking and research started in July, and after months of work, Damballa has released a report on their findings.

In the report, Damballa notes that since May of 2012, the new variant has already compromised at least 250,000 hosts, with victims including government agencies, 46 companies within the Fortune 500, and ISPs. Yet, that number may be too low the report notes, as the newest variant is adding more compromised hosts to its collection daily.

Moreover, there are 85 C&C servers available for TDL4 usage, with Russia, Romania, and the Netherlands accounting for the majority of the locations. Most of the compromised systems reside in the U.S., followed by Germany, Great Britain, Canada, and France. So far, there is little to no anti-virus detection for the variant.

The C&C traffic captured by the sinkhole used to track TDL4’s latest release also revealed new details of a click-fraud campaign, utilizing DGA-based C&C to report on successful click-fraud activity, the report notes. Among the top hijacked domains in the click-fraud initiative are Facebook.com, YouTube.com, Google.com, MSN.com, Yahoo.com, and DoubleClick.net.

“As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams,” stated Dr. Manos Antonakakis, director of academic sciences for Damballa.

“By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic. With its known ability to act as a launch pad for other malware, and TDSS’ history of sub-leasing access to their victims, these hidden infections in corporate networks that go undetected for long periods of time are the unseen time bombs that security teams work so hard to uncover.”

The full report is available here

Advertisement. Scroll to continue reading.
Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.