New TDL4 variant affecting government, ISPs, etc.
TDL4 is the newest type of the TDSS rootkit, which is a classic rootkit malware/virus that has been infecting computers and constructing a botnet since 2006. Now, with its new dangerous properties, it has the ability to sneak in to government agency computers, ISPs, and even popular companies. It uses stealthy properties and exploits to get itself installed, where it can hide itself in a different partition on the computer or create its own partition.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.
In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.
TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals – without counting threats like Stuxnet, Flame,Gauss and others that are believed to have been created by nation states for cyberespionage purposes.
TDL4 is part of a category of malware known as bootkits – boot rootkits – because it infects the hard disk drive’s Master Boot Record (MBR), the sector that contains information about a disk’s partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.
Much of this information pulled from TechWorld.
One of the newer partition infections includes a dropper located at c:\windows\svchost.exe
Protect your computer from rootkits by the makers of TDSSKiller, Kaspersky Lab for only $59.95 (a $79.95 value):