More than 130,000 windows PCs in UK have been infected with an advanced Trojan malware in the latest targeted attacks by the notorious Rovnix botnet, according to reports by Bitdefender antivirus firm.
The Rovnix campaign, primarily targeted on UK Windows users have been dubbed the most successful targeted attack with over 87% of all successful attacks recorded in UK. Other countries such as US, Germany, Italy and Iran have recorded relatively low infection count raging between 0.5% and 4%.
Technically, the Rovnix’s data stealing malware is designed to steal financial information such as credit card numbers from unsuspecting victims. The malware is spread through emails infected with the Andromeda downloader. A malicious hacker sends an attachment infected with the Andromeda malware which is downloaded and run by unsuspecting the victim.
Unlike an older version of the Trojan malware, the new variant uses encryption to broadcast communication between the compromised machines and the command and control server. Encryption gives a malware an edge over many defense mechanisms in the victim’s system and allows the malware to lay undetected for long.
“The new variant encrypts communication with control and command servers allowing to go undetected for a long time. “The campaign targeting the UK proves that the Rovnix botnet is still going strong,” said Bitdefender Chief Security Strategist, Catalin Cosoi. “The switch to encrypted communications shows that this e-threat is still under active development. We won’t see the last of it for some time yet.”
An investigation into the malware’s Domain Generation Algorithm revealed the botnet generates 5 to 10 domains in every three months using publicly available text files such as, United States Declaration of Independence, GNU Lesser General Public License, and Request for Comments (RFC) pages. The Latest attacks targeting UK uses a US declaration of independence text file to generate botnet control and command domain names.
“The DGA generates 5 or 10 domains per quarter. This means there are 20 or 40 candidate domain names per year. They are obtained by concatenating words or their first half as long as the domain name is composed of a minimum of 12 and a maximum of 23 characters,” says Cosoi.
Ideally, hackers use malware Domain Generation Algorithms to generate large numbers of domain names that are used as command and control points by botnet farmers. The large number control points make it difficult law enforcement agencies to shutdown botnets as infected computer continually contacting the many domain names for updates and commands.
Meanwhile, researchers at Bitdefender advised internet users to update their operating systems with the lasts antivirus software and other defense mechanisms that would easily deter Trojan malwares. Users should also be wary of social engineering scams that lure them into opening malicious email attachments or running unknown applications.
Top/Featured image: By Zscout370 / Wikipedia (https://commons.wikimedia.org/wiki/File:Flag_of_the_United_Kingdom.svg)