Last month Damballa stirred up the security community with the discovery of a new iteration of the notorious TDL4 rootkit. This rootkit is known for infecting the Master Boot Record (MBR) to gain control over everything that runs on the computer, making itself invisible for antivirus products and pretty hard to remove. The malware is also known as the ‘indestructible’ botnet and Damballa reported that this new variant already infected 46 of the Fortune 500 companies as well as government agencies and ISP networks.
Damballa stumbled upon it thanks to their network behavioral analysis software, which detected the generated domain names that this new TDL4 variant apparently uses for command-and-control communication. Since Damballa could only determine the existence of the new malware by looking for domain fluxing, they concluded that no binary samples of the new malware have been identified and categorized by commercial antivirus products operating at the host or network levels. But HitmanPro is not your average antivirus.
With all the new stuff we are working on in our office we haven’t really got around to generate our monthly Malware Prevalence Top 25, a list of malware families that HitmanPro encounters on computers protected by up-to-date commercial antivirus products.
In just 2 months it reached #2 position! This means that commercial antivirus products are unable to detect, let alone, remove this malware.
Volume Boot Record (VBR)
This new variant is known as Sst.c. It is capable of infecting the Volume Boot Record (VBR) – which is even more challenging for commercial antivirus programs.
So we can confirm that Sst.c is most prevalent and gained a new trick: it infects the Volume Boot Record.
We will post more information on Sst.c when it becomes available.