New variant of TDL-4 botnet includes capability to generate 'disposable' C&C domain names

A new variant of the TDL-4 botnet has infected approximately 250,000 unique victims.

Detected by Damballa Labs, its research found that it now has a unique domain generation algorithm (DGA)-based command-and-control (C&C) capability as part of its improving arsenal of evasion techniques. This makes TDL-4 capable of generating unique ‘disposable' C&C domain names, making the C&C virtually undetectable by blacklisting and signature-based technologies.

One tactic for infection involves a click-fraud campaign that redirects users from legitimate ads on major sites to suspicious URLs. Here, victims are redirected from major website to URLs where the owner receives money for clicks. According to Damballa Labs, anti-virus has been unsuccessful in detecting the attack and the infection, which is a variant of malware from the TDL-4 botnet.

Damballa Labs said that the infection is a new iteration of TDL-4 and the discovery was made and validated purely based on network behavioural analysis without the need for a malware sample, which it or other anti-virus firms have been able to capture.

It said: “The newly discovered capabilities in TDL-4 are significant in that they give the ‘indestructible botnet' even more elusive capabilities. TDL-4 already evades host-based detection and remediation due to its ability to infect master boot records and by using peer-to-peer communications.”

Victims so far include Fortune 500 companies, government agencies and ISPs. It has already infected 46 of the Fortune 500 companies and a total of 85 hosting servers, while 418 unique domains have been identified as being related to the threat.

The top three hosting countries for the C&C servers are Russia (26 hosts), Romania (15 hosts) and the Netherlands (12 hosts).

Once described as the world's most complex botnet, when detected a year ago it could control up to four million computers and had capabilities including encrypted communications, a peer-to-peer network for sending commands to control infected computers and a proxy server functionality to enable users to sell anonymous internet access through infected computers.

Joseph Souren, vice president and general manager of Wave Systems EMEA, said: “We don't currently know how TDL-4 generates the URL at this point. We just know it keeps changing. And if you're changing the URL all the time, it takes longer to figure out what the software is about, and what it is doing.

“The best defence is based on the Trusted Platform Module (TPM) chip. The TPM stores the signatures of every piece of software on the machine, and the ones that are most important are used early in the boot process before the anti-virus initiates.”

Sign up to our newsletters