Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New TDL4 Variant Discovered – 250,000 Systems Infected So Far

TDL4, also known as TDSS in some circles, is a Root Kit that targets the MBR (Master Boot Record) and is nearly impossible to remove. At one point, it was responsible for a botnet with more than 4 million hosts, earning the title of indestructible. Now, researchers at Damballa have discovered a new iteration of TDSS, which uses a new command and control (C&C) communication method that is helping it push a new click-fraud initiative.

TDL4, also known as TDSS in some circles, is a Root Kit that targets the MBR (Master Boot Record) and is nearly impossible to remove. At one point, it was responsible for a botnet with more than 4 million hosts, earning the title of indestructible. Now, researchers at Damballa have discovered a new iteration of TDSS, which uses a new command and control (C&C) communication method that is helping it push a new click-fraud initiative.

TDL4 / TDSS Malware VariantTo date, the latest variant of TDL4 uses a new DGA (domain generation algorithm) to communicate with its C&C servers. Tracking and research started in July, and after months of work, Damballa has released a report on their findings.

In the report, Damballa notes that since May of 2012, the new variant has already compromised at least 250,000 hosts, with victims including government agencies, 46 companies within the Fortune 500, and ISPs. Yet, that number may be too low the report notes, as the newest variant is adding more compromised hosts to its collection daily.

Moreover, there are 85 C&C servers available for TDL4 usage, with Russia, Romania, and the Netherlands accounting for the majority of the locations. Most of the compromised systems reside in the U.S., followed by Germany, Great Britain, Canada, and France. So far, there is little to no anti-virus detection for the variant.

The C&C traffic captured by the sinkhole used to track TDL4’s latest release also revealed new details of a click-fraud campaign, utilizing DGA-based C&C to report on successful click-fraud activity, the report notes. Among the top hijacked domains in the click-fraud initiative are Facebook.com, YouTube.com, Google.com, MSN.com, Yahoo.com, and DoubleClick.net.

“As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams,” stated Dr. Manos Antonakakis, director of academic sciences for Damballa.

“By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic. With its known ability to act as a launch pad for other malware, and TDSS’ history of sub-leasing access to their victims, these hidden infections in corporate networks that go undetected for long periods of time are the unseen time bombs that security teams work so hard to uncover.”

The full report is available here

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.