ATLANTA--(Damballa Inc., the company transforming the fight against cyber threats, today announced the discovery of a new iteration of TDSS/TDL4 malware that is utilizing domain generation algorithm (DGA)-based communication for command-and-control (C&C). TDSS/TDL4 infects master boot records making it resilient to best practices in remediation and is known as the ‘indestructible’ botnet that infected over 4.5 million victims at one point. The discovery has also led to a new and more comprehensive understanding of the latest C&C infrastructure for TDSS/TDL4, which appears to be managing multiple versions of the malware across more than 250,000 infected victims worldwide.)--
“Damballa continues to enhance its network behavioral detection techniques and is now consistently discovering new threats that are evading signature-based solutions and in-network malware analysis tools that are dependent on obtaining malware samples”
The discovery was made possible by a Damballa invention that automatically detects and classifies threats based on network DGA activity; capable of discovering emerging threats by monitoring network behavior without requiring any prior knowledge or exposure to the malicious software package being employed by the criminals. Like Murofet, Sinowal and the recent Mac-based Flashback malware, DGA communications techniques are being used to successfully evade detection by blacklists, signature filters and static reputation systems, and to hide C&C infrastructure. DGAs are also referred to as a form of Domain Fluxing.
A sixteen-page Damballa Research Report details the technical analysis that led to the discovery, as well as new details related to the TDSS/TDL4 C&C infrastructure, and evidence of a sophisticated click-fraud campaign using DGA-based C&C to report back on successful click-fraud activity. The click-fraud C&C may also be used by the criminal operators to provision and manage the entire campaign.
The discovery and analysis was made possible due to:
- The machine-learning, DGA detection capabilities of the Damballa patent-pending invention, Pleiades, which has been responsible for previous Damballa discoveries, and was first made public by Damballa Director of Academic Sciences, Dr. Manos Antonakakis, at the 2012 USENIX Security Symposium.
- Damballa’s visibility into global Internet traffic through ISP and telecommunications partners.
- One of the largest passive DNS databases in the world - maintained by Damballa Labs.
- Collaboration with Georgia Tech Information Security Center (GTISC) that facilitated a sinkhole operation using some of the DGA domains to gather C&C evidence from victim machines.
“As we previously reported, the rate at which DGA-based communications techniques are being adopted, and their ability to elude the scrutiny of some of the most advanced malware analysis professionals, should be of great concern to incident response teams,” stated Dr. Manos Antonakakis, director of academic sciences for Damballa. “By adding elusive DGA C&C capabilities to malware that already evades detection and circumvents best practices in remediation by infecting master boot records, TDL4 is becoming increasingly problematic. With its known ability to act as a launch pad for other malware, and TDSS' history of sub-leasing access to their victims, these hidden infections in corporate networks that go undetected for long periods of time are the unseen time bombs that security teams work so hard to uncover. The day is rapidly approaching where the desire to discover actual malware will be eclipsed by the need to automatically detect network behavior indicative of malware infections. Rapid discovery of infected victims is the key to limiting the consequences of the breach and preventing data theft. For Damballa, the eventual discovery of malicious binary samples is more often confirmation of what we already know – for the rest of the industry it is typically where the investigation begins.”
The company also released a six-page Discovery Brief, which highlights key findings in the Research Report. The Brief lays out the timeline and events which led to the confirmation that a new iteration of TDSS/TDL4 had been discovered without requiring samples of the new malicious binaries.
Some highlights of the discovery detailed in the report, include:
- Victims were found to include Fortune 500 companies, government agencies and ISP networks.
Believing to have emerged in May of 2012, the new crimeware has been
confirmed by Damballa Labs to have already infected:
- At least 250,000 unique victims
- 46 of the Fortune 500 companies
A total of 85 C&C servers and 418 unique domains were identified as
being related to the threat.
- The top three hosting countries for the C&C servers are Russia (26 hosts), Romania (15 hosts) and the Netherlands (12 hosts).
- The C&C traffic captured by the sinkhole also revealed new details of a click-fraud campaign, utilizing DGA-based C&C to report back on successful click-fraud activity which could be used by the criminal operators to provision the entire campaign.
- The top hijacked domains exploited by the click-fraud threat are:
“Damballa continues to enhance its network behavioral detection techniques and is now consistently discovering new threats that are evading signature-based solutions and in-network malware analysis tools that are dependent on obtaining malware samples,” said Dr. Wenke Lee, director of the Georgia Tech Information Security Center. “GTISC is proud to have collaborated with Damballa on this discovery and enjoys the close working relationship we have with a company that is truly setting a standard for research and innovation for other security companies to follow.”
Click to Tweet: @DamballaInc discovers new iteration of TDSS/TDL4 threat that uses DGA-based communication for C&C. #cybercrime #malware
Damballa is a pioneer in the fight against cybercrime. Damballa provides the only network security solution that detects the remote control communication that criminals use to breach networks to steal corporate data and intellectual property, and conduct espionage or other fraudulent transactions. Patent-pending solutions from Damballa protect networks with any type of server or endpoint device including PCs, Macs, Unix, smartphones, mobile and embedded systems. Damballa customers include mid-size and large enterprises that represent every major market, telecommunications and Internet service providers, universities, and government agencies. Privately held, Damballa is headquartered in Atlanta. http://www.damballa.com