Tracking Rovnix

Over the past few months we’ve been monitoring the Rovnix botnet (other AV vendors call it papras/ursnif/gozi). We have observed as infection vectors pay per install campaigns, but also the Andromeda malware. We have analyzed the malware’s DGA, sinkholed it, and observed its communication protocol to map current infection campaigns and get an idea of the overall size of the botnet.

Domain Generation Algorithm

The DGA (Domain Generation Algorithm) generates 5 or 10 domains per 3 months. Specifically, 5 or 10 domains will be generated for each of the following group of months:

  • January, February, March
  • April, May, June
  • July, August, September
  • October, November, December

This means there are 20 or 40 candidate domain names per year. The number of the generated domains depends on the DGA version.

The domain names are obtained by concatenating words or their first half as long as the domain name is composed of minimum 12 and maximum 23 characters. Both the words contained in the domain name and its top level domain are chosen in a pseudo-random way from provided lists. The randomness is ensured by a fixed seed number and by the year and months for which the domains are being generated.

The word list is extracted from a publicly available text file, which has a very small probability of being changed in the future, like United States Declaration of Independence, GNU Lesser General Public License, Request for Comments (RFC) pages, and specifications. In order to be part of the list of candidate words, they must contain only letters and be at least 3 characters long. Before being used, they are converted to lower case.

Different versions of the malware use different files from which the words are selected. Interestingly, the versions targeting United Kingdom use the US Declaration of Independence.

For example, the domain names generated by the first version of the DGA for months January, February and March, 2014 are:


Sinkholed Domains

We have sinkholed so far one domain for each of the 6 versions we found in the wild. In the following table, the seed, the words file and the used top level domains are specified for each version.

Domain Seed Words File TLDs
taxes[removed].net 0x35678930 United States Declaration of Independence com net biz cn eu
dissour[removed].biz 0xEDBA8930 United States Declaration of Independence com net biz ru eu
bufa[removed].tk 0xEDBA8930 Netstrings Specification net com biz ru tk
operation[removed].eu 0xCE728930 United States Declaration of Independence com net biz ru eu
youorig[removed].de 0xEDBA8930 GNU Lesser General Public License com net de tk ru
specific[removed].biz 0xEDBA8930 Request for Comments (RFC) 4288 net com biz ru tk

Most domains are still valid for the bots. For example, the last four domains listed in the next table have been receiving requests only two weeks, but are still to receive them in the following two months. Because of this, the number of infected bots contacting them is still expected to increase considerably, like the ones for the first 2 domains did.

Domain Sinkholing Date Targeted Countries Total Number of Reported Infections
taxes[removed].net 04 August 2014 Netherlands, France, Belgium 27.455
dissour[removed].biz 10 September 2014 United Kingdom 129.754
bufa[removed].tk 14 October 2014 Bulgaria 11.441
operation[removed].eu 22 Octomber 2014 Poland 10.055
youorig[removed].de 22 October 2014 Bulgaria 1.630
specific[removed].biz 22 October 2014 Bulgaria 3.394

However, the countries being targeted are already obvious. Proof lies in the fact that the number of infections reported for the most infected country is much higher than the second most infected country. For illustration purposes, note the top 5 most infected countries for each version.

The following images illustrate the number of infections reported for every country, emphasizing on top 5, for each version since sinkholing date. Note how various campaigns target specific countries.

Campaign 1 (targeting Netherlands, France, and Belgium) with taxes[removed].net


Top 5 most infected countries are:

  • 1. Netherlands 9255 (33.70%)
  • 2. France 8574 (31.22%)
  • 3. Belgium 5017 (18.27%)
  • 4. Spain 1377 (5.01%)
  • 5. United Kingdom 960 (3.49%)

Campaign 2 (targeting United Kingdom) with dissour[removed].biz


Top 5 most infected countries are:

  • 1. United Kingdom 113051 (87.12%)
  • 2. Islamic Republic of Iran 5258 (4.05%)
  • 3. Italy 846 (0.65%)
  • 4. United States 838 (0.64%)
  • 5. Germany 738 (0.56%)

Campaign 3 (targeting Poland) with operation[removed].eu


Top 5 most infected countries are:

  • 1. Poland 9894 (98.39%)
  • 2. Netherlands 44 (0.43%)
  • 3. Belgium 18 (0.17%)
  • 4. France 15 (0.14%)
  • 5. Spain 13 (0.12%)

Campaign 4 (targeting Bulgaria)


Top 5 most infected countries are:

  • 1. Bulgaria: 10124 (88,48%)
  • 2. Poland: 804 (7.02%)
  • 3. United States 127 (1.11%)
  • 4. Germany 57 (0.49%)
  • 5. Japan 57 (0.49%)


Top 5 most infected countries are:

  • 1. Bulgaria 911 (55.88%)
  • 2. Germany 361 (22.14%)
  • 3. Croatia 123 (7.54%)
  • 4. Thailand 113 (6.93%)
  • 5. Japan 44 (2.69%)


Top 5 most infected countries are:

  • 1. Bulgaria 2990 (88.09%)
  • 2. United States 84 (2.47%)
  • 3. Czech Republic 82 (2.41%)
  • 4. China 69 (2.03%)
  • 5. Japan 65 (1.91%)

Communication Protocol

The last campaign seems to be the most recent one as it is the only one in which the data being reported to the Command and Control server is first encrypted and after this a base64 is applied. On the data sent by the other three campaigns, only a base64 is applied.

There are three different types of requests:

  • 1. Configuration report is performed by a request following the template: GET /c[random].php?[random]=[data] Examples of Requests for Configuration Report are as follows:
    • GET /cyxvlupmo.php?ufdmvtuyo=aIEtGpd9MKhBWZUUrwvelPSuJwdK1bOFcMrnzy4
    • GET /cvqxk.php?ocobnw=ktTqj88vJuAjSxtF4HOZsorLbs2N8Rju8E2X3tsXSKbp5r
    • GET /cmvo.php?hoayb=u0FGQmsrxiBs3Bnv5XqzhutXHNUOL/sGTjsrnM/Dvm1RHOzH
  • 2. Data upload is performed with a POST request of the following form: POST /d[random].php?[random]=[data] Examples of Requests for Data Upload are as follows:
    • POST /dnif.php?hpeup=XgbxB7thEb2GwjnpgZAf/FeQvhmXS8+ab49SE/KVXHrY+rch
    • POST /dsvcxt.php?cxwojcg=HwzlB1erUEdqX1KNVt5weqVMO8Vppsz/QYYtD/+M9SVt
    • POST /dxkxonav.php?ndicride=28pa1PWvBnTgKwbghiIRrz3q1dEuyI5kwNA/q8nQ3
  • 3. Task request consists of a GET request: GET /t[random]?[random]=[data] Examples of Requests for Task Request are as follows:
    • GET /ttckr.php?cnhl=dwI547qlLTfweO3KK9o1FFKAX5jndBzbwfY+qFXcOybdtjVn
    • GET /tslqspk.php?xahmbb=0m40k6goMx3P0QG5TsNl6OQve7IrQ53JcmBbq4MN
    • GET /tcnulkckj.php?lfekhw=ZC+d+1r9DLI1CdFep0hUkdCYmXH+udC1BVpccJ

This technique helps the malware to bypass traffic filtering / signatures.

In the case of the unencrypted requests, we can apply a base64 decoding on the [data] field and extract the information. For example, the configuration request

  • GET /cjbgaahoi.php?syeiv=YXlicGpvYWZmPWdodXllaHBxJnZlcnNpb249MjEyMzA5

results in

  • aybpjoaff=ghuyehpq&version=212309&user=df0de564d4a223b0264d48073bb956be&

while the task request

  • POST /txlv.php?hldf=d2N0Z3FhZmY9Z3JmbGd4aiZ2ZXJzaW9uPTIxMjMwOSZ1c2Vy

consists of

  • wctgqaff=grflgxj&version=212309&user=dcd4c01b9314d6903d78776af84e2fdc&

Note that the first parameter has both the name and value randomly generated which ensures that different base64 encodings / encryptions are received for the same request (that is for the same user contacting the same server with the same bot version and requesting/reporting the same data).

Bitdefender advises users to keep their operating system, antivirus solution and other software up to date and to be aware of social engineering tricks prompting them to execute code on their machines.

One Response to Tracking Rovnix