Security vendor Damballa Labs has discovered a new variant of the TDSS/TDL4 malware that has apparently hit about 250,000 unique victims and at least 46 Fortune 500 companies, governmental agencies and ISP networks.
The malware uses highly secure domain generation algorithm (DGA)-based command-and-control (C&C) for communication, providing the controllers with details on click-fraud activity while at the same time avoiding network layer domain blacklists and signature-based filters.
"Every time you go to a page, they click on a specific ad for which they have registered themselves as affiliates so they can get paid for each click," said Edy Almer, marketing vice president at Wave Systems, a Lee, Mass.-based security company. "And since they're just running millions and millions of them, the money adds up. This malware is currently about stealing money, but it can also be used in a lot of other ways such as the theft of credentials, stealing sensitive information, attacking infrastructure, etc."