A new cluster of infections by the Rovnix Trojan is raising concerns of widespread confidential data theft in the UK, warns Bitdefender. The company’s research teams have identified more than 130,000 computers infected in the country so far.
The Rovnix campaign targeting the UK is one of the most successful in recent months. It’s also one of the most accurately targeted, as 87% of the computers infected are actually in the UK. Other countries hit, such as Germany, Italy, the US and Iran, saw between 0.5 percent and 4 percent of the total infection count each.
“The campaign targeting the UK proves that the Rovnix botnet is still going strong,” said Bitdefender Chief Security Strategist, Catalin Cosoi. “The switch to encrypted communications shows that this e-threat is still under active development. We won’t see the last of it for some time yet.”
Research into the botnet’s Domain Generation Algorithm (DGA) revealed that five to 10 domains are generated per quarter, using word lists extracted from publicly available text files such as GNU Lesser General Public License, Request for Comments (RFC) pages and specifications. Interestingly, the campaign targeting the UK uses the US Declaration of Independence as a reference when generating Command & Control (C&C) domain names.
Catalin Cosoi continues, “The DGA generates 5 or 10 domains per quarter. This means there are 20 or 40 candidate domain names per year. They are obtained by concatenating words or their first half as long as the domain name is composed of a minimum of 12 and a maximum of 23 characters.”
Bitdefender researchers found that, while data exfiltration from infected computers to Command & Control servers was at first conducted in an unencrypted format, the latest campaigns have begun using encryption during broadcast. This helps to bypass conventional security mechanisms so that the Trojan can communicate with C&C servers undetected.
Bitdefender advises users to keep their operating systems, antivirus solutions and other software up to date and beware of social engineering scams that prompt the execution of unknown applications or code on their machines.