Some 250,000 unique domain name holders may have suffered infringement from a new variant of the TDL4 malware, a new study has indicated.
Research conducted by Damballa has established that this malicious threat is attacking even the most sophisticated of online portals, with government agencies and 46 Fortune 500-listed companies featuring on the list of bodies affected.
So far, the source of this malicious Internet traffic has not been identified and as such, the malware has been named DGAv14 by the security vendor.
This activity was first tracked by Damballa in July, when it detected a pattern of domain name system requests for non-existent (NX) web portals–a trend that can usually be attributed to the presence of a domain generation algorithm.
“At this point … Damballa named the threat NorthSpiderAngels – an automatically assigned three-word concatenation used to name threats that are not yet known to the industry,” the body noted.
Subsequently, the organization teamed up with the Georgia Tech Information Security Center in order to register some of the domain names the DGAv14 was attempting to access itself in order to monitor the traffic being routed to them.
This sinkholing operation led to Damballa finding that several of these addresses had been associated with TDL4 and the Russian Business Network, leading the body to gain its “first clue” that the discovery could be a new version of TDL4.
Eventually, the group was able to formally announce it had found a fresh variation of this infamous malware.
“The new iteration was discovered due to the NXDomain behavior associated with a DGA technique it utilizes to evade detection,” Damballa stated.
In addition, the organization went on to warn that the number of infected victims of the malware is growing, which suggests that antivirus programs are not identifying it effectively.