ThreatSTOP Blog

New DGA Targets for DNS Firewall Policy

Written by Jeremiah Jackson | May 4, 2017

ThreatSTOP’s Security Research Team has been busily tracking down new threat sources and compiling publicly shared data from multiple research teams. The result is our New Domain Generation Algorithm (DGA) target collection.

This collection of DGA threats is broken down by the malware each is associated with, and provides coverage for all active threats, as well as threats that are simply working at timing out because they’ve already been sinkholed. The following list provides summary information that will also be available in the ThreatSTOP user portal:

  • Bedep - Also known as ROZENA. This malware attempts to communicate with various AdFraud servers to access different advertisements in a hidden desktop. BEDEP contains heavy encryption and disguises itself as a Microsoft file through its properties and use of seemingly legitimate export functions.
  • Bebloh - This malware variant monitors URLs related to financial institutions designated in its configuration files. On successfully compromising a system it steals FTP credentials from the infected system.
  • Beebone - Acts as a downloader. Typically it installs another malware in a family known as Vobfus (pronounced “vee-ob-fuss”), because it is delivered in the form of heavily obfuscated, or disguised, Visual Basic code.
    Note: This botnet was shutdown (https://nakedsecurity.sophos.com/2015/04/12/buh-bye-beebone-law-enforcement-kills-polymorphic-virus-spreading-botnet/) in 2015, but some remnants have still been seen as active.
  • CoreBOT - A modular Trojan from the infostealer category. As the name says, CoreBOT was initially designed to collect and loot information from infected computers and networks. In time, CoreBOT quickly evolved and went to add other capabilities, such as browser-based web injects, real-time form-grabbing, man-in-the-middle attacks, and other advanced attacks.
  • Geodo - Also known as Emotet. This Malware targets Windows machines and works in conjunction with a worm that uses email as its attack vector. Geodo is able to propagate the infection sending out emails automatically.
  • Gozi - Spyware that monitors network traffic. It also gathers login credentials stored in browsers and mail applications using baked in screen capture and keylogging functions. It also uses a rootkit component to hide related processes, files and registry information.
  • HesperBot - Banking trojan that has been discovered targeting online banking users in Turkey, the Czech Republic, Portugal and the United Kingdom. It uses very credible-looking phishing-like campaigns, posing as trustworthy organizations, luring victims into running the malware.
  • Kraken botnet - The world's largest botnet as of April 2008. Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. Estimated to send 9 billion spam messages per day, the botnet was a huge contributor to spam. The malware’s design allows it to evade anti-virus software making it difficult to remediate.
  • Matsnu - Family of backdoors that can perform different commands such as downloading and executing files, self-updating, and propagating its C&C server – all of which are common to backdoors. However, one unique capability of MATSNU is its ability to lock or unlock victim computers for ransom through remotely executed commands.
  • Padcrypt - Ransomware discovered by @abuse.ch and further analyzed by MalwareHunterTeam. The first ransomware to offer a live support chat feature and uninstaller for its victims.
  • Pushdo (Also Cutwail, or Pandex) - This is a spam botnet that has been around since 2007 and survived several attempts to shut it down after being discovered in 2010. The botnet has also been recorded as having DDoS capabilities, with records pulled from attacks against SSL encrypted websites.
  • Qakbot - Multi-component threat that remains prevalent since its first emergence in 2007. It has continuously evolved to avoid easy detection and removal from an infected system.
  • Ramdo - Family of malware that performs click-fraud. Ramdo malware activity first surfaced in late 2013 and has since continued to infect machines worldwide, primarily through the use of exploit kits.
  • Volatile Cedar - Volatile Cedar is an APT tool. The suite runs key and clipboard loggers and transmits the results to C&C systems for data theft and system impersonation.

As you can see, this update is pretty significant, and helps protect from a significant number of threats to our community’s security.

These Targets will be available to all of ThreatSTOP's DNS Firewall customers – if you do not have a DNS Firewall, it’s time to upgrade. Contact us at 1-855-958-7867 or