Swiss CERT cracked the Tofsee botnet DGA

The Tofsee botnet domain generation algorithm has been cracked by the Swiss Governmental Computer Emergency Response Team. The CERT states that the malware sample was found in their malware zoo, and that they decided to take a closer look at the malware sample as it was showing DGA behavior.

During their research, they were able to create a list of domains which will be used by the Tofsee botnet. The domains which were generated, will allow the CERT and all the companies that have the IOCs to track the Tofsee botnet for 52 weeks.

They state that they contacted the registry of cctld .ch (SWITch) and the Registrar of Last Resort (RoLR), in order to make sure that the domains will not be available for registration.

Tofsee Domains that have been blocked:

dqgdqg{a..j}.{ch,biz}
dqhdqh{a..j}.{ch,biz}
dqidqi{a..j}.{ch,biz}
dqjdqj{a..j}.{ch,biz}
dqkdqk{a..j}.{ch,biz}
dqldql{a..j}.{ch,biz}
dqmdqm{a..j}.{ch,biz}
dqndqn{a..j}.{ch,biz}
dqodqo{a..j}.{ch,biz}
dqpdqp{a..j}.{ch,biz}
dqqdqq{a..j}.{ch,biz}
dqrdqr{a..j}.{ch,biz}
dqsdqs{a..j}.{ch,biz}
dqtdqt{a..j}.{ch,biz}
dqudqu{a..j}.{ch,biz}
dqvdqv{a..j}.{ch,biz}
dqwdqw{a..j}.{ch,biz}
dqxdqx{a..j}.{ch,biz}
dqydqy{a..j}.{ch,biz}
dqzdqz{a..j}.{ch,biz}
dradra{a..j}.{ch,biz}
drbdrb{a..j}.{ch,biz}
drcdrc{a..j}.{ch,biz}
drddrd{a..j}.{ch,biz}
dredre{a..j}.{ch,biz}
drfdrf{a..j}.{ch,biz}
drgdrg{a..j}.{ch,biz}
drhdrh{a..j}.{ch,biz}
dridri{a..j}.{ch,biz}
drjdrj{a..j}.{ch,biz}
drkdrk{a..j}.{ch,biz}
drldrl{a..j}.{ch,biz}
drmdrm{a..j}.{ch,biz}
drndrn{a..j}.{ch,biz}
drodro{a..j}.{ch,biz}
drpdrp{a..j}.{ch,biz}
drqdrq{a..j}.{ch,biz}
drrdrr{a..j}.{ch,biz}
drsdrs{a..j}.{ch,biz}
drtdrt{a..j}.{ch,biz}
drudru{a..j}.{ch,biz}
drvdrv{a..j}.{ch,biz}
drwdrw{a..j}.{ch,biz}
drxdrx{a..j}.{ch,biz}
drydry{a..j}.{ch,biz}
drzdrz{a..j}.{ch,biz}
dsadsa{a..j}.{ch,biz}
dsbdsb{a..j}.{ch,biz}
dscdsc{a..j}.{ch,biz}
dsddsd{a..j}.{ch,biz}
dsedse{a..j}.{ch,biz}
dsfdsf{a..j}.{ch,biz}

Share This Message