Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Submission + - newGOZ Spams Again - GameOver Zeus spam observed in the wild (malcovery.com)

GarWarner writes: Brendan Griffin over at Malcovery has posted a new story documenting two spam campaigns seen in the wild today that use the newGOZ Command & Control infrastructure. The first spam used the subject line "Subject: Fw: Credit Applicaiton" (sic) while the second campaign of the day used the subject line "Subject: Haun Welding Invoice". (Haun Welding is a real company in Syracuse, NY, obviously not associated with the malware.)

Four Command & Control servers, all generated by the Domain Generation Algorithm previously discussed, were observed in the wild today .. all resolving to the same IP addresses.

hmeyx8mxqrxe1uwcn5w1win68w[.]net
szaj031k3ha447pniqr1003qx6[.]org
1stze0f1u7of3z18wu4in5prafy[.]net
dwgu4j8n210w18spq9rsz0uzj[.]biz
178.211.41[.]246
211.108.69[.]117
4.30.111[.]88

(Square brackets added to prevent malware detectors from freaking out...)

If you have network traffic headed to any of these destinations, that would be a Very Bad Thing.

Question of the Day: The C&C's are certainly set up "Fast Flux Style" — they use a 300 second Time To Live, but have held the same IP hosts all day long. That's a change from the behavior observed July 10th by this botnet (shared here as ( http://it.slashdot.org/story/1... ). Theories on why are welcome . . .

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

newGOZ Spams Again - GameOver Zeus spam observed in the wild

Comments Filter:

"The following is not for the weak of heart or Fundamentalists." -- Dave Barry

Working...