Security researchers have warned that over 130,000 computers in the UK have been infected with the information-stealing Rovnix trojan, in a botnet campaign specifically targeting high-value victims in the country.
Catalin Cosoi, chief security strategist at Bitdefender, told Infosecurity that the firm has observed 184,000 infected machines globally via sinkholed domains.
However, the vast majority are in the UK, raising concerns about large-scale data theft from victims there.
“It's about the money, basically – the UK is a very populous country,” Cosoi explained. “The other major campaign Bitdefender tracked was running against the Netherlands, France and Belgium. Targeting or customizing is very common, as users are easier to trick the more personalized the messaging is.”
After analyzing the botnet’s Domain Generation Algorithm, Bitdefender researchers were able to learn that five to ten domains are generated per quarter, formed by linking words extracted from text files such as the GNU Lesser General Public License, Request for Comments (RFC) pages and specifications.
Bizarrely, the UK Rovnix campaign uses the US Declaration of Independence as a reference to generate command and control (C&C) domain names, Bitdefender said.
By generating random domains the malware aims to avoid detection by pattern monitoring.
The gang behind the attacks have also made moves of late to evade detection, by encrypting communications from infected machines to the C&C servers.
Bitdefender urged users to keep operating systems, AV products and major software up to date and to be wary of social engineering tricks commonly used by attackers to execute code on their machines.
Three European Rovnix campaigns were spotted early last month by CSIS, using the US Constitution to help generate random domains.
According to Spanish AV vendor Panda Security, the third quarter of 2014 saw a staggering 20 million pieces of new malware generated, which amounts to over 227,000 each day.
It said trojans, like Rovnix, comprised the majority, accounting for 78% of all malware.