New TDL4 Bootkit Malware Variant Hits Fortune 500

Printer-friendly version Email this CRN article

Security vendor Damballa Labs has discovered a new variant of the TDSS/TDL4 malware that has apparently hit about 250,000 unique victims and at least 46 Fortune 500 companies, governmental agencies and ISP networks.

The malware uses highly secure domain generation algorithm (DGA)-based command-and-control (C&C) for communication, providing the controllers with details on click-fraud activity while at the same time avoiding network layer domain blacklists and signature-based filters.

"Every time you go to a page, they click on a specific ad for which they have registered themselves as affiliates so they can get paid for each click," said Edy Almer, marketing vice president at Wave Systems, a Lee, Mass.-based security company. "And since they're just running millions and millions of them, the money adds up. This malware is currently about stealing money, but it can also be used in a lot of other ways such as the theft of credentials, stealing sensitive information, attacking infrastructure, etc."


[Related: 7 Deadly Sins of Information Security]

Although Damballa Labs has not had access to malware samples, it claims it has successfully secured its customers through the use of global DNS visibility provided by ISP and Telco partners since the variant was discovered in July. "Because it is near impossible to ‘predict’ the actual domain names generated daily for DGA-based C&C, the only way to positively identify an infected victim device and categorize the threat is by using machine learning technology that can create behavioral classifiers that will recognize certain NXDomain activity as being related to a defined DGA-based threat," reported the company in a 16-page published report.

"Instead of having one command-and-control URL or a single server, the server continues to change," said Almer. "There is an algorithm around it. It could be based around access, or a specific period of time. We don't know how it generates the URL at this point. We just know it keeps changing. And if you're changing the URL all the time, it takes a long time to figure out what the software is about, and what it is doing."

A total of 85 hosting servers and 418 unique domains were apparently used in the attack. The top three hosting countries for the command-and control servers are Russia, Romania and the Netherlands. The top hijacked domains included,,,, and

Antivirus products were unsuccessful in detecting the attacks.

NEXT: Means of Detection

Printer-friendly version Email this CRN article