Believed to have re-emerged in May of 2012, the "indestructible botnet" known as TDSS/TDL4 appears to be managing multiple versions of the malware across more than 250,000 infected victims worldwide. Damballa discovered that victims include 46 of the Fortune 500 companies, government agencies and ISP networks. A total of 85 C&C servers and 418 unique domains were identified as being related to the threat, with the top three hosting countries being Russia (26 hosts), Romania (15 hosts) and the Netherlands (12 hosts).
The TDSS/TDL4 infects master boot records, making it resilient to best practices in remediation.
"As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams," said Manos Antonakakis, director of academic sciences for Damballa. "By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic.”
Like Murofet, Sinowal and the recent Mac-based Flashback malware, DGA communications techniques are being used to successfully evade detection by blacklists, signature filters and static reputation systems, and to hide C&C infrastructure. DGAs are also referred to as a form of Domain Fluxing, Damballa noted.
“With its known ability to act as a launch pad for other malware, and TDSS' history of sub-leasing access to their victims, these hidden infections in corporate networks that go undetected for long periods of time are the unseen time bombs that security teams work so hard to uncover,” said Antonakakis. “The day is rapidly approaching where the desire to discover actual malware will be eclipsed by the need to automatically detect network behavior indicative of malware infections. Rapid discovery of infected victims is the key to limiting the consequences of the breach and preventing data theft.”
Damballa has released a sixteen-page research report detailing the technical analysis that led to the discovery, as well as new details related to the TDSS/TDL4 C&C infrastructure, and evidence of a sophisticated click-fraud campaign using DGA-based C&C to report back on successful click-fraud activity.
The top hijacked domains exploited by the click-fraud threat are: facebook.com; doubleclick.net; youtube.com; yahoo.com; msn.com; and google.com, the company said.