Threat Alert: Rovnix Evolves

Recent information has exposed that a popular open-sourced botnet has had an increased resistance to Internet security.  The threat known as Rovnix virus (also called papras/ursnif/gozi by other AV vendors) continues to evolve and morph into different versions infecting PCs and mobile devices.  First detected April 2014, the Rovnix virus frequently infiltrates the computer through other infections, security holes, and software vulnerabilities on the computer.  Dropping malicious files, adding registry entries, and infecting some system files are just some of the harmful effects of the Rovnix virus.

Several key symptoms of the infection have been exposed and users should be aware of.

  • Causes Internet Explorer to not respond as a white screen and then closes out without warning.
  • WMI will show all n/a in which will cause SecureIT to go invalid.
  • UAC will not execute properly with DirectCONNECT or other Remote Support programs.

SecurityCoverage has analyzed the malware’s Domain Generation Algorithm (DGA), contained it, and observed its communication protocol to map current infection campaigns and get an idea of the overall size of the botnet.  The DGA generates 5 or 10 domains per 3 months.  This means that there are 20 or 40 candidates domain names per year.  The number of the generated domains depends on the DGA version.

Related to this threat, we have seen an increase in call escalations impacting many of our technical support and ISP helpdesk customers.  Our technicians have executed a sterilization process and have reacted to appropriately reducing the average handle times effectively.

The Rovnix program clearly isn’t the work of common script kiddies, it’s likely the coder has moderate knowledge of kernel mode programming.  Rovnix poses danger to both consumers and enterprises as it can steal passwords and record keystrokes.  Internet users should use the following suggestions in order to remain safe from the Rovnix infection:

  • Be cautious of opening links from people you do not know (especially on social media sites)
  • Ensure all operating system and anti-virus software are up to date on their PC and mobile device
  • Use a secure password manager such as PasswordGenie to ensure your passwords are encrypted and protected from keyloggers.
  • Ensure all security and anti-virus systems are kept current versions.

SecurityCoverage also advises users to be aware of social engineering tricks prompting them to click on links or download files to their device.

Recommended Posts