A new edition of the TDSS/TDL-4 botnet is quickly developing, mainly since it’s having outstanding success applying an evasion technique known as a domain generation algorithm (DGA) to avoid detection, researchers at Damballa Security discovered today.
The algorithm helps the latest version of the botnet carry out click-fraud campaigns and is used primarily to rapidly move communication between victims and command-and-control servers from domain to domain, a technique known as domain fluxing, similar to fast fluxing. Domain Fluxing makes it very difficult for authorities to pinpoint the source.
Since this new edition appeared in May, it’s reportedly infected 250,000 unique victims, including machines inside government agencies, ISP nets and 46 of the Fortune 500. Damballa investigators alleged they discovered 85 command and control servers and 418 domains associated with the new version, primarily hosted in Russia, Romania and Holland. Damballa accounts a few of the domains belong to the Russian Business Network (RBN). In the last week, the botnet has grown 10 percent, Damballa researchers said.
The TDSS/TDL-4 malware is fundamentally a rootkit, infecting a computer’s master boot record, making it hard to rectify. The rootkit conceals any additional malware present; the malware has infected to a higher degree 4.5 million computers making it one of the most fertile botnets on record.
“It’s very unusual not to have a sample,” Antonakakis said. “The fact the security community is not coming back with a binary sample indicates to use that there are samples out there, but no one is associating them with this malware and they’re not creating signatures for it. We’ve seen 30,000 new infections in the last five days (most of the infections have been in the United States or Germany).”