Unveiling the Network Criminal Infrastructure of TDSS/TDL4 – DGAv14: A case study on a new TDSS/TDL4 variant

Unveiling the Network Criminal Infrastructure of TDSS/TDL4 – DGAv14: A case study on a new TDSS/TDL4 variant

Saturday, September 1, 2012
Manos Antonakakis, Jeremy Demar, Kevin Stevens and David Dagon
Technical Report

In the last few months, Damballa Labs in collaboration with Georgia Tech Information Security Center (GTISC) has been tracking what appears to be a new iteration of TDDS/TDL4. This variant makes use of Domain name Generation Algorithm (DGA) tactics in order to establish its command and control (C&C) communication channel with the C&C domain names, but also to server its Click-fraud activities.