ThreatSTOP Blog

DGAs For the Masses

Written by Dror Av. | December 1, 2016

At ThreatSTOP, we strive to provide our customers with the most up-to-date and accurate protection from both known and emerging threats. Using the data provided by our friends at the Qihoo 360 research team we have constructed a target list of over 20 identified malware families. The malware families that we will be protecting you against are:

  1. Bamital: a family of malware that intercepts web browser traffic and prevents access to certain security-related websites by modifying the Bamital variants may also modify certain legitimate Windows files in order to execute their payload.
  1. Banjori: (also: MultiBanker 2 or BankPatch/).
  1. Conficker: (also: Downup, Downadup, and Kido) a computer worm that targets Windows. First detected in 2008, Conficker uses dictionary attacks and forms a botnet. When first discovered its purpose was unknown, it simply replicated between.
  1. Cryptolocker: ransomware targeted at Windows based systems. Encrypts certain types of files stored locally, and on network mounted drives with RSA cryptography. This feed lists the worm DGA domains.
  1. Dircrypt: (also: Dirty) ransomware that uses DGA Domains as C2 servers and was hacked by Check Point research.
  1. Dyre: malware that attempts to steal sensitive user information, particularly banking information, by intercepting this information when it is passed between your web browser and the target website. This malware is often distributed in scam type phishing emails that ask the user to download a ZIP file. Dyre has the ability to bypass certain online security solutions like SSL and two-factor authentication.
  1. Fobber: Banking malware.
  1. Game Over ZeuS: (also: GOZ) successor to ZeuS, it uses encrypted P2P (based on Kademila) to communicate with its C&C.
  1. Madmax: a targeted Trojan using DGA domains as a C2 infrastructure.
  1. Murofet: (also: LICAT) a member of the ZeuS family, it uses a DGA to determine the current C2 domain names.
  1. Necurs: widely believed to be one of the largest botnets (with 6.1 million functioning bots) and responsible for millions of dollars in losses tied to ransomware and Dridex banking Trojan infections.
  1. Nymaim: a downloader Trojan that can be used to install a variety of malware.
  1. Proslikefan: a JavaScript worm that spreads through mapped network shares, removable drives, and file-sharing applications.
  1. Pykspa: a worm that spreads through Skype Instant Messenger.
  1. Qadars: a Trojan horse that opens a back door on the compromised computer, steals information and can download files.
  1. Ramnit: a computer worm affecting Windows users. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. Today, this infection is estimated at 3,200,000 PCs.
  1. Shifu: a Trojan horse that opens a back door and steals information from the compromised computer.
  1. Simda: a botnet malware that has compromised more than 770,000 computers worldwide.
  1. Symmi: (also: MewsSpy and Graftor) a family of malicious Trojan horses which pretends to be legitimate applications. Once compromised, it will try to connect to the internet and contact various different servers without the user’s knowledge, most likely to get commands from the attacker or to download more malware.
  1. Tempedreve: a worm that spreads through removable network drives. It is able to gather system information, take screenshots, download and execute other files and initiate Man-in-the-Browser attacks (stealing data transmitted by the browser such as usernames and passwords).
  1. Tiny Banker Trojan: (also: Tinba) a malware program that targets the websites of financial institutions.. It is a modified form of a category of viruses known as Banker Trojans, but it is much smaller in size and more powerful. It works by establishing Man-in-the-Browser attacks and network sniffing.
  1. Virut: a cybercrime malware botnet. In operation since at least 2006, it is one of the major botnets and malware distributors on the Internet. In January 2013 its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

The updated target is now available and named DGAs supplied by 360.cn feeds. The different malwares also have their own targets in ThreatSTOP’s expert mode in the policy editor and you can select to block each one individually.

Please note – we have also updated the “BOTNETS” and “Ransomware Domains” targets to include the relevant bots in it.

We highly recommend updating your policies to include these new threats.

If you are not currently subscribed to the ThreatSTOP DNS FW, and cannot add these new targets, you can upgrade by contacting us at 1-855-958-7867 or success@threatstop.com