GozNym botnet included over 23,000 infected victims. The Cisco Talos team has announced today that they’ve successfully managed to sinkhole one of GozNym’s botnets and are in the process of doing the same to three others.
Researchers say they were able to divert traffic from the GozNym botnet after they managed to crack the domain name generation algorithm (DGA) used by the banking trojan to communicate with its ever-changing C&C master servers.
All banking trojans today, and other types of top-shelf malware, use DGAs to allow infected hosts to communicate with C&C servers that change on a daily basis.
Cracking the DGA is the quickest way to sinkhole malware operations
A DGA uses various input data to generate a random domain name to which the infected host connects. Because crooks know how the algorithm behaves, they know what domain name is generated every day, and will host servers on those domains in advance, in order to manage the botnet on that specific day.
If researchers manage to crack the DGA, they also know what the algorithm will generate, and can take over those domains from crooks, with the help of law enforcement, domain registrars, and hosting providers.
Something similar happened in July when researchers from Arbor Networks cracked the DGA of the Mad Max malware and sinkholed all the C&C servers it was bound to use until the end of the year, effectively taking down the botnet.
GozNym shined bright like a falling star
GozNym is a new banking trojan that appeared this year in April and is a hybrid malware family made up of code taken from the Gozi and Nymaim trojans.
The trojan established itself as a threat from the get-go, with a diverse arsenal of tools and tricks which included support for both webinjects (browser and application process injection) and redirection attacks (malicious proxy redirecting users to fake banking sites). This is something out of the ordinary, with very few banking trojans using both methods at once, usually opting just for one.
Besides being highly complex, code-wise, the trojan was also backed by vicious spam campaigns that spread their payload all over Japan, Europe, and North America.
Development on the trojan was so far ahead of other similar malware that in August, buguroo detected some features in GozNym’s code to bypass some types of behavioral biometrics defenses found on some modern banking portals.
According to data gathered from the first sinkholed botnet, Cisco says it detected 23,062 infected hosts so far, with most of them located in Germany, the US, Poland, Canada, and the UK, all classic GozNym targets.
GozNym botnet analysis (by IP per country)