September 29, 2016
The Cisco Talos team has announced today that they’ve successfully managed to sinkhole one of GozNym’s botnets and are in the process of doing the same to three others.
Researchers say they were able to divert traffic from the GozNym botnet after they managed to crack the domain name generation algorithm (DGA) used by the banking trojan to communicate with its ever-changing C&C master servers.
All banking trojans today, and other types of top-shelf malware, use DGAs to allow infected hosts to communicate with C&C servers that change on a daily basis.
A DGA uses various input data to generate a random domain name to which the infected host connects. Because crooks know how the algorithm behaves, they know what domain name is generated every day, and will host servers on those domains in advance, in order to manage the botnet on that specific day.
If researchers manage to crack the DGA, they also know what the algorithm will generate, and can take over those domains from crooks, with the help of law enforcement, domain registrars, and hosting providers.
Something similar happened in July when researchers from Arbor Networks cracked the DGA of the Mad Max malware and sinkholed all the C&C servers it was bound to use until the end of the year, effectively taking down the botnet.