The Sphinx Trojan is based on the source code of the infamous Zeus banking Trojan. First seen around August 2015, Sphinx has been upgraded with a new method of randomizing the domain names it uses for the command-and-control (C&C) servers to which it links.

Besides the primary domains of the C&C servers hardcoded into the Trojan, this kind of approach is designed to implement a backup method should authorities take down the primary servers.

A Simplistic Algorithm

This Domain Generation Algorithm (DGA) enables the attacker to establish non-hardcoded C&C servers and obtain domain names that only he or she knows beforehand. The malware author can then register these names for nefarious use. Many pieces of malware use DGAs to generate C&C host names. That goes for both primary and backup servers.

Arbor Networks classified this DGA as time-dependent, deterministic and arithmetic-based (TDD-A). It uses the current date as the initial seed, creates random strings of 16 characters and appends .com at the end.

The DGA generates 128 domains per day, according to Softpedia. But researchers had no problem cracking this simplistic algorithm. They even revealed the code used to figure out the domains.

Sphinx Trojan Gets Cracked

Once the researchers figured out the technique, they set up sinkholes for the Trojan. The sinkholes found only 1,230 active bots, far fewer than the millions they had assumed were out in the wild.

According to Arbor Networks, most of the bots were located in Brazil That makes sense, since an IBM X-Force report in August found that Sphinx had been used in a Brazilian bank campaign.

Now that the DGA has been cracked, authorities should be able to set up a way to track the Trojan and stop its criminal activity.