Unveiling the network criminal infrastructure of TDSS/TDL4 - DGAv14: a case study on a new TDSS/TDL4 variant

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Unveiling the network criminal infrastructure of TDSS/TDL4 - DGAv14: a case study on a new TDSS/TDL4 variant
Botnet TDL-4, DGAv14
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012
Editor/Conference Damballa
Link https://www.damballa.com/downloads/r pubs/Damballa tdss tdl4 case study public.pdf (Archive copy)
Author Manos Antonakakis, Jeremy Demar, Kevin Stevens, David Dagon
Type

Abstract

In the last few months, Damballa Labs in collaboration with Georgia Tech Information Security Center (GTISC) has been tracking what appears to be a new iteration of TDSS/TDL4. This variant makes use of Domain name Generation Algorithm (DGA) tactics in order to establish its command and control (C&C) communication channel with the C&C domain names, but also to server its Click-fraud activities. The extended C&C network hosting infrastructure spans multiple different networks in Europe, US and Asia. While most of the C&C IP addresses have been associated in the past with illicit operations (i.e., RBN, BitCoin), and have affected hundreds of thousands of victims, we are not aware of a sample available to the security community that matches the network behavior. Despite this, we are able to characterize key parts of the new TDSS/TDL4 variant, its DGA, and most of the victim population. While a binary would provide a more complete explanation of this botnet, we describe in this whitepaper how network-only evidence can be leveraged to defend aganst the (as yet unrecovered) malware.

Currently, we are monitoring this new TDSS/TDL4 variant - which for simiplicity we will refer to as DGAv14 in the remainder of te text - using Damballa's ISP visibility but using the GTISC sinkhole infrastructure to verify what we infer about its C&C communication channels and growth. As of today we have observed close to 200,000 unique Internet hosts trying to contact the GTISC sinkhole. This number is growing. While a binary sample would let us estimate the total potential vulnerable population, we demonstrate how a network-centric view nonetheless allows us to measure and remediate this malware by working with network operators around the world. In the remainder of this report, we will briefly discuss the similarities of DGAv14 with TDSS/TDL4 in section 2. Next, we will continue in section 3, where we will discuss the passive DNS properties of the network and domain name C&C infrastructure of DGAv14. In section 4, we will discuss all observations made possible using the sinkhole data we gathered over the last few weeks. Finally in section 5 we will discuss the attribution aspects of DGAv14 and we will conclude in Section 6 with lessons learned from the detection and tracking efforts of DGAv14

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1194,
   editor = {Damballa},
   author = {Manos Antonakakis, Jeremy Demar, Kevin Stevens, David Dagon},
   title = {Unveiling the network criminal infrastructure of TDSS/TDL4 - DGAv14: a case study on a new TDSS/TDL4 variant},
   date = {28},
   month = Mar,
   year = {2012},
   howpublished = {\url{https://www.damballa.com/downloads/r_pubs/Damballa_tdss_tdl4_case_study_public.pdf}},
 }