New TDSS/TDL4 Malware Infects 46 Of Fortune 500

A new iteration of TDSS/TDL4 malware has infected at least 250,000 victims, including 46 companies in the Fortune 500, researchers said Monday.

According to a new report on the TDSS/TDL4 malware published by security firm Damballa, the new attack is using domain generation algorithm (DGA)- based communication for command-and-control (C&C).

Used by Murofet, Sinowal and the recent Mac-based Flashback malware, DGA communications techniques are being used to successfully evade detection by blacklists, signature filters and static reputation systems, and to hide C&C infrastructure, Damballa reported.

TDSS/TDL4 is malware known to infect the master boot record (MBR) of computers, making it resistant to common practices in remediation. It has been described as the "indestructible" botnet, with the ability to act as a launch pad for other malware. At one point it was reported as having infected over 4.5 million victims.

A total of 85 hosting servers and 418 unique domains were identified as being related to the new TDSS/TDL4 threat, Damballa said. The top three hosting countries for the C&C servers are Russia (26 hosts), Romania (15 hosts) and the Netherlands (12 hosts).

"By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic," said Manos Antonakakis, director of academic sciences for Damballa.

"With its known ability to act as a launch pad for other malware, and TDSS' history of sub-leasing access to their victims, these hidden infections in corporate networks go undetected for long periods of time," Antonakakis said.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.