Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror

Submission + - newGOZ Spams Again - GameOver Zeus spam observed in the wild (malcovery.com)

GarWarner writes: Brendan Griffin over at Malcovery has posted a new story documenting two spam campaigns seen in the wild today that use the newGOZ Command & Control infrastructure. The first spam used the subject line "Subject: Fw: Credit Applicaiton" (sic) while the second campaign of the day used the subject line "Subject: Haun Welding Invoice". (Haun Welding is a real company in Syracuse, NY, obviously not associated with the malware.)

Four Command & Control servers, all generated by the Domain Generation Algorithm previously discussed, were observed in the wild today .. all resolving to the same IP addresses.

hmeyx8mxqrxe1uwcn5w1win68w[.]net
szaj031k3ha447pniqr1003qx6[.]org
1stze0f1u7of3z18wu4in5prafy[.]net
dwgu4j8n210w18spq9rsz0uzj[.]biz
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88

(Square brackets added to prevent malware detectors from freaking out...)

If you have network traffic headed to any of these destinations, that would be a Very Bad Thing.

Question of the Day: The C&C's are certainly set up "Fast Flux Style" — they use a 300 second Time To Live, but have held the same IP hosts all day long. That's a change from the behavior observed July 10th by this botnet (shared here as ( http://it.slashdot.org/story/1... ). Theories on why are welcome . . .

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

newGOZ Spams Again - GameOver Zeus spam observed in the wild

Comments Filter:

I THINK THEY SHOULD CONTINUE the policy of not giving a Nobel Prize for paneling. -- Jack Handley, The New Mexican, 1988.

Working...