TDL-4 variant spreads click-fraud campaign

Share this article:

A click-fraud campaign – in which attackers redirect users from legitimate ads on major sites, like Facebook and YouTube, to URLs where they can receive money for clicks – has been launched using a new TDL-4 malware variant.

TDL-4 rose to infamy in 2011, when researchers discovered that the malware supported a botnet of more than four million infected computers, which were primarily in the United States.

The latest version of the malware uses a domain-generation algorithm (DGA), in which the infected machines generate hundreds to thousands of domain names a day to hide the command-and-control infrastructure.

Researchers at Damballa Labs discovered the malware variant and believe it emerged in May, infecting approximately 280,000 machines since then. The last 30,000 cases of infection have emerged in the past week alone.

Manos Antonakakis, the director of academic sciences for Damballa, told SCMagazine.com on Tuesday that researchers are still analyzing the malware's capabilities, but that infections have been centralized to certain areas.

“The major countries affected by this are the U.S., Germany and U.K.,” Antonakakis said. Once the malware is on victims' machines, it hijacks the devices when users click on legitimate ads found on sites – like Facebook, YouTube, Yahoo, MSN and Google – to direct web traffic to ads that will gain attackers money.

Victims are usually unaware that the click-fraud activity has even transpired.

Researchers at Damballa, as well as at the Georgia Tech Information Security Center (GTISC), which is collaborating with the firm, have not determined what kinds of ads criminals may be using to further their campaign.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

DDoS attacks remain up, stronger in Q2, report says

DDoS attacks remain up, stronger in Q2, report ...

Prolexic's second quarter DDoS report noted the proliferation of shorter attacks that ate up more bandwidth.

Superman soars above fellow superheroes as most toxic search term

A McAfee study found that searches pertaining to Superman exposed users to the most infected websites.

Black Hat talk on Tor weaknesses canceled

Black Hat organizers say legal counsel for the Software Engineering Institute and Carnegie Mellon University nixed the session.