New TDL4 Bootkit Malware Variant Hits Fortune 500

Security vendor Damballa Labs has discovered a new variant of the TDSS/TDL4 malware that has apparently hit about 250,000 unique victims and at least 46 Fortune 500 companies, governmental agencies and ISP networks.

The malware uses highly secure domain generation algorithm (DGA)-based command-and-control (C&C) for communication, providing the controllers with details on click-fraud activity while at the same time avoiding network layer domain blacklists and signature-based filters.

"Every time you go to a page, they click on a specific ad for which they have registered themselves as affiliates so they can get paid for each click," said Edy Almer, marketing vice president at Wave Systems, a Lee, Mass.-based security company. "And since they're just running millions and millions of them, the money adds up. This malware is currently about stealing money, but it can also be used in a lot of other ways such as the theft of credentials, stealing sensitive information, attacking infrastructure, etc."

[Related: 7 Deadly Sins of Information Security ]

Although Damballa Labs has not had access to malware samples, it claims it has successfully secured its customers through the use of global DNS visibility provided by ISP and Telco partners since the variant was discovered in July. "Because it is near impossible to ’predict’ the actual domain names generated daily for DGA-based C&C, the only way to positively identify an infected victim device and categorize the threat is by using machine learning technology that can create behavioral classifiers that will recognize certain NXDomain activity as being related to a defined DGA-based threat," reported the company in a 16-page published report.

"Instead of having one command-and-control URL or a single server, the server continues to change," said Almer. "There is an algorithm around it. It could be based around access, or a specific period of time. We don't know how it generates the URL at this point. We just know it keeps changing. And if you're changing the URL all the time, it takes a long time to figure out what the software is about, and what it is doing."

A total of 85 hosting servers and 418 unique domains were apparently used in the attack. The top three hosting countries for the command-and control servers are Russia, Romania and the Netherlands. The top hijacked domains included facebook.com, doubleclick.net, youtube.com, yahoo.com, msn.com and google.com.

Antivirus products were unsuccessful in detecting the attacks.

NEXT: Means of Detection

TDSS/TDL4 evades host-based detection and remediation through its ability to change master boot records and also through peer-to-peer communications. Therefore, Almer believes that the best defense is based on the Trusted Platform Module (TPM) chip, from which his company's product can extract information.

According to Wave Systems' Almer, the chip is based on standards of the trusted computing group, of which Wave Systems, as well as Microsoft, IBM, Dell, HP, Lenovo and a number of other companies, are members. The TPM chip works by storing signatures of a piece of software and cross-referencing those signatures to ensure they match during the booting process.

"The TPM stores the signatures of every piece of software on the machine, and the ones that are most important are the ones that are used early in the boot process before the antivirus initiates," Almer said. "But if we have the signature of the legitimate software in the TPM, we can determine if the actual software trying to boot matches that signature. We can then discover any changes in the BIOS or the MBR [master boot record]."

If the signatures don't match, or if changes are detected, there are several courses of action that can be taken, Almer said.

"At that point, we can do any number of things, based on configuration. We might prevent the machine from booting. We might allow it to boot but then send it to a specific area used for remediation. Or, potentially, we can recover a protected version of the MBR before the change and then compare that change to anything that the administrators have done and use the old version."

Almer added that an appropriate counterstrategy to TDSS/TDL4 is particularly important for financial institutions, healthcare organizations, government agencies or any vertical industries that store highly sensitive data.

PUBLISHED SEPT. 19, 2012