Hunting a botnet: the story of UnknownDGA17 and Mevade

During the past few weeks, me and João Gouveia of AnubisNetworks have spent many an evening hunting a botnet that João had discovered and subsequently called ‘UnknownDGA17’.
I think ‘hunting’ is the right term here, because we based our research on information from AnubisNetworks’ Cyberfeed, in particular hundreds of thousands of connections the botnet made to a sinkhole, rather than on actual malware samples. In the end, we were able to find so many links with ‘Mevade’, a botnet (in)famous for using the Tor network for C&C communication, that we can be certain the botnets are closely linked, if not the same. We also found that Mevade is heavily involved in bitcoin mining.
The full story is here.