14 DAY TRIAL // TDL4 or TDSS, the malware famous for infecting the master boot records of over 4.5 million computers at its peak, has been spotted once again. Experts say that the new variant relies on domain generation algorithm (DGA)-based communications for its command and control (C&C) server.
DGA communications are integrated into malware because they allow the malicious software to evade static reputation systems, signature filters and blacklists. The technology also helps cybercriminals hide the C&C infrastructure.
Although TDL4 is so good at hiding its tracks, researchers from Damballa were able to identify it with the aid of Pleiades, a technology which allows them to detect and classify threats based on DGA activity in a network.
Researchers have found that the malware has already infected at least 250,000 unique victims, 46 of which are said to be Fortune 500 organizations.
TDL4 has a fairly large number of C&C servers. Experts located 26 in Russia, 15 in Romania and 12 in the Netherlands, but there are a few in other countries as well, totaling 86 servers. The number of domains is also noteworthy, 418 unique ones being identified.
Another important discovery is that the traffic captured by the sinkhole set up by Damballa unveiled the details of a click-fraud operation which exploits domains such as facebook.com, youtube.com, msn.com, google.com and doubleclick.net.
“As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams.” said Dr. Manos Antonakakis, director of academic sciences for Damballa.
“By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic,” he added.