News of the Dofoil botnet's death has been greatly exaggerated. And, in fact, the latest Dofoil botnet is even “more dangerous and aggressive,” according to recent blog post from Fortinet.
Also known as Smoke Loader, Dofoil has been around for a few years but until recently no new variants of the bot had been observed and the command-and-control servers of previous variants were not accessible any longer, the blog said. Until September 2014, that is, when a new variant, sporting more features, emerged.
Dubbed W32/Zurgop.BK!tr.dldr by Fortinet, the variant uses the same command for fetching the module list as earlier iterations but now it is encrypted. Among the new, or improved, features are anti-VM and anti-bugging checks, dropped fil and attribute updates, a double map injection that only surfaced in the last two years, injected code and fake C&C traffic.