Hunting a botnet: the story of UnknownDGA17 and Mevade

During the past few weeks, me and João Gouveia of AnubisNetworks have spent many an evening hunting a botnet that João had discovered and subsequently called ‘UnknownDGA17’.
I think ‘hunting’ is the right term here, because we based our research on information from AnubisNetworks’ Cyberfeed, in particular hundreds of thousands of connections the botnet made to a sinkhole, rather than on actual malware samples. In the end, we were able to find so many links with ‘Mevade’, a botnet (in)famous for using the Tor network for C&C communication, that we can be certain the botnets are closely linked, if not the same. We also found that Mevade is heavily involved in bitcoin mining.
The full story is here.

Leave a Reply

Your email address will not be published. Required fields are marked *