New TDSS/TDL4 Malware Infects 46 Of Fortune 500

New Domain Generation Algorithm-based malware claims at least 250,000 victims

Dark Reading Staff, Dark Reading

September 18, 2012

1 Min Read

A new iteration of TDSS/TDL4 malware has infected at least 250,000 victims, including 46 companies in the Fortune 500, researchers said Monday.

According to a new report on the TDSS/TDL4 malware published by security firm Damballa, the new attack is using domain generation algorithm (DGA)- based communication for command-and-control (C&C).

Used by Murofet, Sinowal and the recent Mac-based Flashback malware, DGA communications techniques are being used to successfully evade detection by blacklists, signature filters and static reputation systems, and to hide C&C infrastructure, Damballa reported.

TDSS/TDL4 is malware known to infect the master boot record (MBR) of computers, making it resistant to common practices in remediation. It has been described as the "indestructible" botnet, with the ability to act as a launch pad for other malware. At one point it was reported as having infected over 4.5 million victims.

A total of 85 hosting servers and 418 unique domains were identified as being related to the new TDSS/TDL4 threat, Damballa said. The top three hosting countries for the C&C servers are Russia (26 hosts), Romania (15 hosts) and the Netherlands (12 hosts).

"By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic," said Manos Antonakakis, director of academic sciences for Damballa.

"With its known ability to act as a launch pad for other malware, and TDSS' history of sub-leasing access to their victims, these hidden infections in corporate networks go undetected for long periods of time," Antonakakis said.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights