A new cluster of infections by the Rovnix Trojan has infected more than 130,000 Windows computers in the UK alone.
The data-stealing malware is also affecting Germany, Italy, the US and Iran to a far lesser extent - 87 per cent of the computers infected are actually in the UK, according to anti-virus firm Bitdefender.
Rovnix is a data-stealing trojan that spreads by email and infects Windows PCs. Initial versions of the malware featured the extraction of data from compromised machines using unencrypted comms but more recently this has evolved to feature encryption during broadcast.
The malware spread via e-mails infected with the Andromeda downloader. The infected attachment gets executed by an unwary user and this in turn downloads and runs Rovnix. The whole attack is designed to steal financial information, mainly credit card numbers.
The use of encryption helps the malware to behave with greater stealth, meaning it is more likely to escape undetected for longer. Recent versions of the malware have dropped the bootkit component found in earlier versions of the code.
“The campaign targeting the UK proves that the Rovnix botnet is still going strong,” said Bitdefender chief security strategist Catalin Cosoi. “The switch to encrypted communications shows that this e-threat is still under active development.”
The latest campaign targeting the UK uses the US Declaration of Independence as a reference when generating botnet Command & Control (C&C) domain names. Cosoi explained: “The DGA generates five or 10 domains per quarter. This means there are 20 or 40 candidate domain names per year. They are obtained by concatenating words or their first half as long as the domain name is composed of a minimum of 12 and a maximum of 23 characters.”
Three weeks ago Danish security consultancy CSIS separately warned about a Rovnix botnet campaign principally targeting Poland. A blog post by CSIS explaining the reincarnation of the botnet and its communications and control can be found here. ®