TDL-4 variant spreads click-fraud campaign

Share this article:

A click-fraud campaign – in which attackers redirect users from legitimate ads on major sites, like Facebook and YouTube, to URLs where they can receive money for clicks – has been launched using a new TDL-4 malware variant.

TDL-4 rose to infamy in 2011, when researchers discovered that the malware supported a botnet of more than four million infected computers, which were primarily in the United States.

The latest version of the malware uses a domain-generation algorithm (DGA), in which the infected machines generate hundreds to thousands of domain names a day to hide the command-and-control infrastructure.

Researchers at Damballa Labs discovered the malware variant and believe it emerged in May, infecting approximately 280,000 machines since then. The last 30,000 cases of infection have emerged in the past week alone.

Manos Antonakakis, the director of academic sciences for Damballa, told SCMagazine.com on Tuesday that researchers are still analyzing the malware's capabilities, but that infections have been centralized to certain areas.

“The major countries affected by this are the U.S., Germany and U.K.,” Antonakakis said. Once the malware is on victims' machines, it hijacks the devices when users click on legitimate ads found on sites – like Facebook, YouTube, Yahoo, MSN and Google – to direct web traffic to ads that will gain attackers money.

Victims are usually unaware that the click-fraud activity has even transpired.

Researchers at Damballa, as well as at the Georgia Tech Information Security Center (GTISC), which is collaborating with the firm, have not determined what kinds of ads criminals may be using to further their campaign.

Page 1 of 2
Share this article:

Sign up to our newsletters

More in News

In Cisco probe, misuse or compromise spotted on all firms' networks

In Cisco probe, misuse or compromise spotted on ...

Cisco analyzed the business networks of 30 multinational companies last year, and revealed the findings in its 2014 Annual Security Report.

Fareit trojan observed spreading Necurs, Zbot and CryptoLocker

The Necurs and Zbot trojans, as well as CryptoLocker ransomware, has been observed by researchers as being spread through another trojan, known as Fareit.

Post Heartbleed, tech giants join initiative to bolster open source

Post Heartbleed, tech giants join initiative to bolster ...

The newly formed Core Infrastructure Initiative, created to boost under-funded open source projects, will tackle OpenSSL first.