Elusive TDL4 malware variant infected Fortune 500 companies, government agencies, researchers say

Damballa researchers believe a new variant of the sophisticated TDL4 bootkit affected over 250,000 victims in the past few months

Researchers from security vendor Damballa have identified malicious Internet traffic that they believe is generated by a new and elusive variant of the sophisticated TDL4 malware.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

On July 8, Damballa sensors that operate on the networks of telecommunication operators and ISPs that partnered with the company detected a new pattern of DNS (Domain Name System) requests for non-existent domains. Such traffic suggests the presence on the network of computers infected with malware that uses a domain generation algorithm (DGA),

Some malware creators use DGAs in order to evade network-level domain blacklists and to make their command and control infrastructure more resilient against takedown attempts.

DGAs generate a number of random-looking domain names at predefined time intervals for the malware to connect to. Because the attackers know which domain names their algorithm will generate and access at a future point in time, they can register some of them in advance and use them to issue commands to infected computers.

Even if those domains are later shut down, the overall operation is not affected because the malware will generate and use different domain names in the future.

In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.

This type of action is known as sinkholing and, in this case, it revealed that the new malware is part of a click-fraud operation that involves rogue advertisements being injected into various websites including facebook.com, doubleclick.net, youtube.com, yahoo.com, msn.com and google.com when opened on infected computers,

An analysis of other domain names registered by the attackers themselves and the networks where they hosted those domains revealed similarities to the command and control infrastructure used by the gang behind the TDL4 malware family.

TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals -- without counting threats like Stuxnet, Flame, Gauss and others that are believed to have been created by nation states for cyberespionage purposes.

TDL4 is part of a category of malware known as bootkits -- boot rootkits -- because it infects the hard disk drive's Master Boot Record (MBR), the sector that contains information about a disk's partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.

In June 2011, the TDL4 botnet was made up of over 4.5 million infected computers. Because of the malware's advanced detection evasion techniques and its decentralized command and control infrastructure security researchers from antivirus vendor Kaspersky Lab called it an "indestructible botnet" at the time.

The Damballa researchers obtained a memory snapshot from a computer infected with the new threat that revealed pieces of code and configuration strings similar to those found in TDL4. This further strengthened their idea that the new threat is a new variant of TDL4. However, a definitive conclusion couldn't been reached because they were not able to obtain an actual binary sample of the threat.

In fact, "no one in the security community have been able to produce binary samples for the discovery we announced today -- and many 'insiders' have been privy to this discovery for over 2 months," the Damballa researchers said Monday in a blog post.

"If no samples exist (and we have tried for over 2 months to find them) then there are no signatures to block the malware or to scan potentially infected victim machines -- and network-based malware analysis solutions have apparently missed it too," the researchers said.

"This appears to be a kernel level root kit, attaches itself to iexplorer and it is very likely that the malware has MBR capabilities," Manos Antonakakis, director of academic sciences at Damballa, said Tuesday via email. "This would make it hard to detect for traditional AV. That would actually also explain the victim growth we observe for the sinkholing actions we made against a few of the DGA domain names."

However, Antonakakis agreed that it's possible that some antivirus products already detect this threat with a generic name based, for example, on behavioral criteria, and that researchers from those antivirus companies haven't yet analyzed those samples manually in order to find the connection to TDL4.

Kaspersky Lab researchers are currently looking into this case, but there is no information to share at this time, a Kaspersky Lab spokeswoman said Tuesday via email.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?