GozNym banking malware botnet infests 23,000, is taken down

A botnet used by the infamous banking Trojan GozNym has been taken down by a team of security researchers at Cisco Talos. The malware’s domain name generation algorithm (DGA) was cracked by the researchers, allowing them to tap into the bot’s command and control server and shut it down. Malware usually utilises a DGA to allow it communication between the infected hosts and the command and control servers. These are usually changed on a daily basis to prevent detection by the use of randomly generated input data.

“Talos developed scripts to replicate GozNym’s DGA and brute force valid IP ranges to find valid Second Stage DGA seeds,” write the researchers. The date is non-trivially incorporated in the seeding process, so we had to brute force a new set of seed IPs for each day we wanted to sinkhole. By using a hash collision on the first domain, we could prevent GozNym victims from attempting to contact any of the other domains in the list. The machines infected with GozNym would beacon to our sinkhole server once, then get stuck in a loop with lots of sleeping and occasionally querying Google’s DNS for our sinkholed domain.”

After blocking the botnet’s operations, Cisco Talos reports that it discovered 23,000 victims attached to it, across the US, German, Poland, Canada and the UK. The researchers have said they are actively looking to take down as many of the botnets they can find – it knows of three other being used by GozNym distributors.

[do_widget id=text-34]

Related Posts