A new version of the TDSS/TDL-4 botnet is rapidly growing, primarily because it’s having great success using an evasion technique known as a domain generation algorithm (DGA) to avoid detection, researchers at Damballa Security revealed today.
The algorithm helps the latest version of the botnet carry out click-fraud campaigns and is used primarily to rapidly move communication between victims and command-and-control servers from domain to domain, a technique known as domain fluxing, similar to fast fluxing.
Since this new version appeared in May, it has reportedly infected 250,000 unique victims, including machines inside government agencies, ISP networks and 46 of the Fortune 500. Damballa researchers said they found 85 command and control servers and 418 domains related to the new version, primarily hosted in Russia, Romania and the Netherlands. Damballa reports some of the domains belong to the Russian Business Network (RBN). In the last week, the botnet has grown 10 percent, Damballa researchers said.
The TDSS/TDL-4 malware is essentially a rootkit, infecting a computer’s master boot record, making it difficult to remediate. The rootkit hides any other malware present; the malware has infected more than 4.5 million computers making it one of the most prolific botnets on record.
Discovery of the new variant began in early July when Damballa’s DGA proprietary detection technology, formally rolled in August at USENIX, saw domain fluxing activity from its ISP and telecommunications customers. The DGA algorithm generates upwards of thousands of domains over a period of time, with only a handful actually registered as the command-and-control server needs it. The process repeats and the throwaway domains are never seen again, Damballa said. The researchers were able to decipher that this was malware behavior, despite the lack of a binary sample.
Damballa worked with with its partner at the Georgia Tech Information Security Center, and a sinkhole was built to observe the new threat and hopefully capture a sample. Soon, the researchers were seeing attempted command and control connections from victim machines similar to known TDSS/TDL-4 activity. Some were Damballa customers who were able to provide the researchers with a memory snapshot of infected machine, giving them some code to overlap against existing botnet code for comparison.
“This was discovered and modeled without having access to a binary. We were able to identify a cluster of DGA activity, model it, identify command and control and map out the infrastructure,” said Manos Antonakakis, director of academic sciences at Damballa. “We were just seeing activity between the protocols observed from the network standpoint and mapped without a binary. This has not been done in the past.”
This is the reverse of the traditional malware analysis process; usually researchers have a binary sample and will reverse engineer it to come up with a signature-based protection.
“It’s very unusual not to have a sample,” Antonakakis said. “The fact the security community is not coming back with a binary sample indicates to use that there are samples out there, but no one is associating them with this malware and they’re not creating signatures for it. We’ve seen 30,000 new infections in the last five days (most of the infections have been in the United States or Germany).”