A new iteration of the TDSS/TDL-4 malware using DGA-based command and control

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

A new iteration of the TDSS/TDL-4 malware using DGA-based command and control
Botnet TDSS, DGAv14, TDL-4
Malware TDL-4 (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 /
Editor/Conference Damballa
Link https://www.damballa.com/downloads/r pubs/damballa discovery brief 9 2012.pdf (Archive copy)


Damballa discovers a new iteration of Tdss/TdL4 that is utilizing domain generation algorithm (DGA)-based communication for command-and-control.

  • The discovery leads to a new and more comprehensive understanding of the latest commandand-control infrastructure for Tdss/TdL4, which appears to be managing multiple versions of the

malware (see damballa Labs research Paper).

  • The discovery was made possible by a damballa invention that automatically detects and classifies threats based on network DGA activity – discovering emerging threats by monitoring network behavior

without prior knowledge or exposure to the malicious software package being employed by the criminals.

  • Victims were found to include fortune 500 companies, government agencies and isP networks.
  • Believing to have emerged in May of 2012, the new crimeware has been confirmed by Damballa Labs to have already infected:
    • At least 250,000 unique victims
    • 46 of the fortune 500 companies
  • A total of 85 hosting servers, and 418 unique domains were identified as being related to the threat.
    • The top three hosting countries for the c&c servers are Russia (26 hosts), Romania (15 hosts) and the Netherlands (12 hosts).
  • It appears that no binary samples of the new malware have been identified and categorized by commercial antivirus products operating at the host or network levels.
  • because no binary samples have been located a sinkhole capturing c&c traffic from infected devices around the world, and a memory snapshot from a victim device, were used to confirm the discovery.
  • The c&c traffic captured by the sinkhole also reveals new details of a click-fraud campaign, utilizing DGA-based c&c to report back on successful click-fraud activity which could be used by the criminal operators to provision the entire campaign.
  • The top hijacked domains exploited by the click-fraud threat are:
  1. facebook.com
  2. doubleclick.net
  3. youtube.com
  4. yahoo.com
  5. msn.com
  6. google.com
  • TDSS/TDL4 is malware known to infect the master boot record (MBR) – making it resilient to best practices in remediation – and has been described as the ‘indestructible’ botnet; at one point reported

as having infected over 4.5 million victims.

  • All of the threat details provided in this document and the associated Damballa Labs research Threat report have been compiled without any available samples of the actual malware. Additional details

will be released as more victim machines and/or malware samples become available for analysis.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1184,
   editor = {Damballa},
   author = {},
   title = {A new iteration of the TDSS/TDL-4 malware using DGA-based command and control},
   date = {23},
   month = Jul,
   year = {2012},
   howpublished = {\url{https://www.damballa.com/downloads/r_pubs/damballa_discovery_brief_9_2012.pdf}},