A new version of the TDSS/TDL-4 botnet is rapidly growing because it is doing what a good botnet does and that is evading security.
This botent is using a domain generation algorithm (DGA) to avoid detection, said researchers at Damballa Security.
The algorithm helps the latest version of the botnet carry out click-fraud campaigns and it rapidly moves communication between victims and command-and-control servers from domain to domain, a technique known as domain fluxing.
Since this version appeared in May, it has infected 250,000 unique victims, including machines inside government agencies, ISP networks and 46 of the Fortune 500. Damballa researchers said they found 85 command and control servers and 418 domains related to the new version, primarily hosted in Russia, Romania and the Netherlands. Some of the domains belong to the Russian Business Network (RBN), the researchers said. In the last week, the botnet grew 10 percent, Damballa researchers said.
The TDSS/TDL-4 malware is a rootkit, infecting a computer’s master boot record, making it difficult to remediate. The rootkit hides any other malware present; the malware infected more than 4.5 million computers making it one of the most prolific botnets on record.
Discovery of the new variant began in early July when Damballa’s DGA proprietary detection technology, saw domain fluxing activity from its ISP and telecommunications customers. The DGA algorithm generates upwards of thousands of domains over a period of time, with only a handful actually registered as the command-and-control server needs it. The process repeats and the throwaway domains never appear again, Damballa said. The researchers were able to decipher this was malware behavior, despite the lack of a binary sample.
Damballa worked with its partner at the Georgia Tech Information Security Center, and they built a sinkhole to observe the new threat and hopefully capture a sample. Soon, the researchers saw attempted command and control connections from victim machines similar to known TDSS/TDL-4 activity. Some were Damballa customers who were able to provide the researchers with a memory snapshot of infected machine, giving them some code to overlap against existing botnet code for comparison.
“This was discovered and modeled without having access to a binary. We were able to identify a cluster of DGA activity, model it, identify command and control and map out the infrastructure,” said Manos Antonakakis, director of academic sciences at Damballa. “We were just seeing activity between the protocols observed from the network standpoint and mapped without a binary. This has not been done in the past.”
This is the reverse of the traditional malware analysis process; usually researchers have a binary sample and will reverse engineer it to come up with a signature-based protection.
“It’s very unusual not to have a sample,” Antonakakis said. “The fact the security community is not coming back with a binary sample indicates to us that there are samples out there, but no one is associating them with this malware and they’re not creating signatures for it. We’ve seen 30,000 new infections in the last five days (most of the infections have been in the United States or Germany).”