Over the past months, a steady increase in the number of machines infected with Rovnix has been observed in Europe, the United Kingdom being the most affected in a campaign where 113,051 connections from compromised systems were recorded.

Multiple campaigns have been identified by security researchers at Bitdefender, targeting mostly countries of the old continent; but incidents have been reported in other regions too, such as the United States, Iran, China and Japan.

To prevent the operation from being shut down, the malware authors have implemented a domain generation algorithm (DGA) that derives the domain names for the command and control server from publicly accessible text.

At least six variants of the threat exist in the wild, Bitdefender being able to crack the DGA and learn where Rovnix would attempt communication with its operators. Then, the security experts would sinkhole that domain and count the number of connections to it.

In the case of UK, the threat picks words from the US Declaration of Independence that contain at least three letters.

Other online documents Bitdefender noticed in their analysis are the GNU Lesser General Public License, request for comments (RFC) pages, and product specifications; basically anything that has a more permanent character.

According to Bitdefender, the UK-targeted campaign also made victims in Iran with 5,258 connections being recorded, followed by Italy, the United States and Germany, all of them accounting for less than 2% of the connections indicating a compromised system.

Other campaigns focused on different countries, such as Netherlands, France, Belgium, Spain, Bulgaria, Poland, Croatia, Czech Republic, China, Thailand, and Japan.

Rovnix is a simple type of threat that can display pay-per-click advertisements, show a fake BSOD (Blue Screen of Death), or display scareware pages that promote fake antivirus solutions and tech support scams.