Hard-to-kill malware spotted in the wild includes a domain generation algorithm in the communications with its command-and-control infrastructure to make it harder to detect and eliminate. Use of such a tactic is part of a growing trend among malware threats as attackers look to thwart security.
A new edition of the notorious TDSS malware has been spotted
using a domain generation algorithm (DGA) in communications with its
command-and-control (C&C) as it spreads throughout enterprises.
Also known as TDL4, TDSS works by infecting master boot
records, which has made it difficult for security programs to destroy. At one
point, security researchers reported, the malware had built a botnet of 4.5
million victims. In 2011, it was linked separately to the spread of the
notorious DNSChanger Trojan, which was at the center of an FBI takedown
operation last year.
According to IT security technology company Damballa, the
latest discovery led to a new understanding of the malware's C&C
infrastructure, which appears to be managing multiple versions of the malware
across more than 250,000 infected victims worldwide. In collaboration with the
Georgia Tech Information Security Center, Damballa researchers launched a
sinkhole operation using some of the malware's domains to gather evidence about
the command-and-control structure.
The researchers discovered that the latest version of the
malware has infected computers at 46 of the Fortune 500. Other victims include
government agencies and ISP networks. The C&C traffic captured by the
sinkhole also yielded new details of a click-fraud operation leveraging
DGA-based C&C to provide status reports about the fraud operation's
successes so the information could be used by the criminal operators to
provision the entire fraud campaign. Some of the top hijacked domains in the
click fraud operation include Facebook.com, Google.com and YouTube.com.
In all, a total of 85 C&C servers and 418 unique domains
were labeled as being related to the malware, with Russia, Romania and the
Netherlands hosting the most C&C servers.
Domain generation algorithms (DGA) are traditionally used as
a way to evade signature-based detection systems and static blacklists,
explained Manos Antonakakis, director of academic sciences for Damballa. Using
the tacticâwhich is also known as domain fluxingâallows the attacker to exploit
the inability of network security systems to recognize and block the latest
active domain names, he told eWEEK. The technique has become popular among
malware authors, and has been adopted by Trojans such as Zeus and BankPath, he
added. Pseudo-random domain generation has also been used by the Blackhole
exploit kit to make attacks more persistent.
"As we previously reported, the rate at which DGA-based communications techniques are
being adopted, and their ability to elude the scrutiny of some of the most
advanced malware analysis professionals, should be of great concern to incident
response teams," Antonakakis said in a statement.
"By adding elusive DGA C&C capabilities to malware
that already evades detection and circumvents best practices in remediation by
infecting master boot records, TDL4 is becoming increasingly problematic,"
he added. "With its known ability to act as a launch pad for other
malware, and TDSS' history of sub-leasing access to their victims, these hidden
infections in corporate networks that go undetected for long periods of time
are the unseen time bombs that security teams work so hard to uncover."