Incident Response, Malware, TDR

TDL-4 variant spreads click-fraud campaign

A click-fraud campaign – in which attackers redirect users from legitimate ads on major sites, like Facebook and YouTube, to URLs where they can receive money for clicks – has been launched using a new TDL-4 malware variant.

TDL-4 rose to infamy in 2011, when researchers discovered that the malware supported a botnet of more than four million infected computers, which were primarily in the United States.

The latest version of the malware uses a domain-generation algorithm (DGA), in which the infected machines generate hundreds to thousands of domain names a day to hide the command-and-control infrastructure.

Researchers at Damballa Labs discovered the malware variant and believe it emerged in May, infecting approximately 280,000 machines since then. The last 30,000 cases of infection have emerged in the past week alone.

Manos Antonakakis, the director of academic sciences for Damballa, told SCMagazine.com on Tuesday that researchers are still analyzing the malware's capabilities, but that infections have been centralized to certain areas.

“The major countries affected by this are the U.S., Germany and U.K.,” Antonakakis said. Once the malware is on victims' machines, it hijacks the devices when users click on legitimate ads found on sites – like Facebook, YouTube, Yahoo, MSN and Google – to direct web traffic to ads that will gain attackers money.

Victims are usually unaware that the click-fraud activity has even transpired.

Researchers at Damballa, as well as at the Georgia Tech Information Security Center (GTISC), which is collaborating with the firm, have not determined what kinds of ads criminals may be using to further their campaign.

“We are in the process of further analyzing the ad campaign,” Antonakakis said. “We have several people working to define what [attackers] are actually doing.”

More than 40 Fortune 500 companies are among the victims infected by the TDL-4 variant, as well as government agencies and ISP networks. Damballa also pinpointed 85 servers, hosted primarily in Russia, Romania and the Netherlands, that are linked to the botnet.

David Holmes, the vice president of marketing at Damballa, told SCMagazine.com on Tuesday that TDL-4 was particularly pervasive because of all the unknown damage it can inflict on infected machines.

“Anyone infected with TDL-4 is at high risk because it is often the launching pad for other malware,” Holmes said, later adding that the malware was “multipurpose.”

Researchers have only established the click-fraud campaign being carried out by the malware, though they are looking into its other features.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.