Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies, and ISPs, the Damballa researchers said in a research paper released Monday.
[ InfoWorld's expert contributors show you how to secure your Web browsers in the "Web Browser Security Deep Dive" PDF guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Adviser blog and Security Central newsletter. ]
On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),
Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.
DGAs generate a number of random-looking domain names at predefined time intervals for the malware to connect to. Because the attackers know which domain names their algorithm will generate and access at a future point in time, they can register some of them in advance and use them to issue commands to infected computers.
Even if those domains are later shut down, the overall operation is not affected because the malware will generate and use different domain names in the future.
In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.
This type of action is known as sinkholing and, in this case, it revealed that the new malware is part of a click-fraud operation that involves rogue advertisements being injected into various websites including facebook.com, doubleclick.net, youtube.com, yahoo.com, msn.com and google.com when opened on infected computers,
An analysis of other domain names registered by the attackers themselves and the networks where they hosted those domains revealed similarities to the command and control infrastructure used by the gang behind the TDL4 malware family.
TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals -- without counting threats like Stuxnet, Flame, Gauss and others that are believed to have been created by nation states for cyberespionage purposes.
TDL4 is part of a category of malware known as bootkits -- boot rootkits -- because it infects the hard disk drive's Master Boot Record (MBR), the sector that contains information about a disk's partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.