Rovinix trojan spreading like fire, already 130,000 Windows PC’s infected in UK

The data stealing trojan ware Rovinix has hit again, this time targeting machines based in the UK. In addition to the United Kingdom, the malware has also targeted users in Germany, Italy as aslo as far as Iran. But around 87% of its targets appears to be in UK. Rovinix is suspected to be the evolution of a another trojan Carberp, which was known to target Russians.

Current Iteration

In its current form, Rovinix has been spreading through phishing emails. Although it has maintained its record of targeting Windows machines specifically instead of branching out to other OS. The malware spread via infected Andromedia downloader. Once this piece of software is run by the unknowing victim, Rovinix gets downloaded onto the system and gets to work. Its primary target has been credit card credentials.

Armour becomes weapon

What is worth noting of this iteration of the trojan is the evolution step it has undertaken. In addition to stealing data, this trojan now sends this data after encrypting it. Thus making it even harder to detect. Encryption has been touted as the new armour against spying by government agencies and a tool for privacy. Looks like the bad guys have also learned this pretty fast.

“The campaign targeting the UK proves that the Rovnix botnet is still going strong,” said Bitdefender chief security strategist Catalin Cosoi. “The switch to encrypted communications shows that this e-threat is still under active development.” The latest campaign targeting the UK uses the US Declaration of Independence as a reference when generating botnet Command & Control (C&C) domain names. Cosoi explained: “The DGA generates five or 10 domains per quarter. This means there are 20 or 40 candidate domain names per year. They are obtained by concatenating words or their first half as long as the domain name is composed of a minimum of 12 and a maximum of 23 characters.”

Past History

This trojan first surfaced around 3 and a half years back. Rovinix was also the first trojan to utilize Volume Boot Record (VBR) infection. An interesting fact is that Rovnix bootkit components were used in Win32/Carberp, the most widely spread banking trojan in Russia.

At the beginning of summer 2011, the first modifications of Win32/Rovnix.A were noticed, while in the middle of that summer Rovnix started to be distributed without bootkit code. And at the same time Bitdefender tracked the first testing of Command and Control (C&C) servers with a test version of Carberp using the same bootkit code as Rovnix. It may be that what we are seeing now is a new mass-testing bootkit and in the future this code may be re-used in another malware family. The Win32/Rovnix.B dropper is distributed, as in previous versions, by an affiliation program (Pay Per Install). Previously, it was mainly distributed from two domains – and

As obvious, the team behind Rovinix seems no where close to giving up and the security research firms are just about catching up.