New TDL4 malware variant infects ISPs, Fortune 500 companies, gov't agencies
Damballa researchers believe a new variant of the sophisticated TDL4 bootkit affected over 250,000 victims in the past few months
By Lucian Constantin | Published: 10:54, 19 September 2012
Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.
On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),
Related Articles on Techworld
Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.
DGAs generate a number of random-looking domain names at predefined time intervals for the malware to connect to. Because the attackers know which domain names their algorithm will generate and access at a future point in time, they can register some of them in advance and use them to issue commands to infected computers.
Even if those domains are later shut down, the overall operation is not affected because the malware will generate and use different domain names in the future.
New malware part of click-fraud operation
In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.
This type of action is known as sinkholing and, in this case, it revealed that the new malware is part of a click-fraud operation that involves rogue advertisements being injected into various websites including facebook.com, doubleclick.net, youtube.com, yahoo.com, msn.com and google.com when opened on infected computers,
An analysis of other domain names registered by the attackers themselves and the networks where they hosted those domains revealed similarities to the command and control infrastructure used by the gang behind the TDL4 malware family.
TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals - without counting threats like Stuxnet, Flame, Gauss and others that are believed to have been created by nation states for cyberespionage purposes.
TDL4 is part of a category of malware known as bootkits - boot rootkits - because it infects the hard disk drive's Master Boot Record (MBR), the sector that contains information about a disk's partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.
In June 2011, the TDL4 botnet was made up of over 4.5 million infected computers. Because of the malware's advanced detection evasion techniques and its decentraliSed command and control infrastructure security researchers from antivirus vendor Kaspersky Lab called it an "indestructible botnet" at the time.
Kernel level root kit with MBR capabilities
The Damballa researchers obtained a memory snapshot from a computer infected with the new threat that revealed pieces of code and configuration strings similar to those found in TDL4. This further strengthened their idea that the new threat is a new variant of TDL4. However, a definitive conclusion couldn't been reached because they were not able to obtain an actual binary sample of the threat.
In fact, "no one in the security community have been able to produce binary samples for the discovery we announced today - and many 'insiders' have been privy to this discovery for over 2 months," the Damballa researchers said Monday in a blog post.
"If no samples exist (and we have tried for over 2 months to find them) then there are no signatures to block the malware or to scan potentially infected victim machines - and network-based malware analysis solutions have apparently missed it too," the researchers said.
"This appears to be a kernel level root kit, attaches itself to iexplorer and it is very likely that the malware has MBR capabilities," Manos Antonakakis, director of academic sciences at Damballa, said Tuesday via email. "This would make it hard to detect for traditional AV. That would actually also explain the victim growth we observe for the sinkholing actions we made against a few of the DGA domain names."
However, Antonakakis agreed that it's possible that some antivirus products already detect this threat with a generic name based, for example, on behavioral criteria, and that researchers from those antivirus companies haven't yet analyzed those samples manually in order to find the connection to TDL4.
Kaspersky Lab researchers are currently looking into this case, but there is no information to share at this time, a Kaspersky Lab spokeswoman said Tuesday via email.