According to a report last week from researchers at Bitdefender, there are two new GOZ configurations using slightly different domain name generation algorithms – one that generates 1,000 domain names per day and one that generates 10,000. By sinkholing five domains over five different days for each of the two GOZ variants, the Bitdefender researchers counted 5,907 unique IP (Internet Protocol) addresses for computers infected by the first GOZ variant – almost 84 percent of them being from the U.S – and 4,316 IP addresses for the second variant, 70% of them from Ukraine and Belarus.
Counting IP addresses is not an accurate way of determining a botnet’s size because some computers receive a different IP address from their ISP every time they connect to the Internet. However, in the absence of better identifiers, it can at least be used as a rough estimate.
Security researchers from Arbor Networks have also sinkholed GOZ domain names in July, but have done it every four days in order to determine how the botnet evolves over time.
The company observed the number of victims gradually grow from 127 on 14 July to 429 on 21 July. Then, on 25 July, following a large spam campaign that distributed the new GOZ malware, the infection count jumped to 8,494 victims, the Arbor Networks researchers said Wednesday in a blog post.
“In aggregate and over three weeks, our five sinkholes saw 12,353 unique source IPs from all corners of the globe,” the researchers said. The most affected country was the United States, with 44% of infections, they said.
For now the creators of the new GOZ variant are focusing on rebuilding their botnet, rather than stealing money from users, but it’s likely only a matter of time until they’ll return to that primary goal.
IDG News Service
Subscribers 0
Fans 0
Followers 0
Followers