TDL-4 variant spreads click-fraud campaign

Share this article:

A click-fraud campaign – in which attackers redirect users from legitimate ads on major sites, like Facebook and YouTube, to URLs where they can receive money for clicks – has been launched using a new TDL-4 malware variant.

TDL-4 rose to infamy in 2011, when researchers discovered that the malware supported a botnet of more than four million infected computers, which were primarily in the United States.

The latest version of the malware uses a domain-generation algorithm (DGA), in which the infected machines generate hundreds to thousands of domain names a day to hide the command-and-control infrastructure.

Researchers at Damballa Labs discovered the malware variant and believe it emerged in May, infecting approximately 280,000 machines since then. The last 30,000 cases of infection have emerged in the past week alone.

Manos Antonakakis, the director of academic sciences for Damballa, told SCMagazine.com on Tuesday that researchers are still analyzing the malware's capabilities, but that infections have been centralized to certain areas.

“The major countries affected by this are the U.S., Germany and U.K.,” Antonakakis said. Once the malware is on victims' machines, it hijacks the devices when users click on legitimate ads found on sites – like Facebook, YouTube, Yahoo, MSN and Google – to direct web traffic to ads that will gain attackers money.

Victims are usually unaware that the click-fraud activity has even transpired.

Researchers at Damballa, as well as at the Georgia Tech Information Security Center (GTISC), which is collaborating with the firm, have not determined what kinds of ads criminals may be using to further their campaign.

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.