Attacks/Breaches

7/14/2014
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

New GameoverZeuS Variant Found In The Wild

A new botnet abandons peer-to-peer communication and may or may not be operated by the one disrupted by Operation Tovar last month.

There's a new variant of Gameover ZeuS (GOZeuS) in the wild, but it is a simpler version stripped of some of its most sophisticated components. It is unclear whether it is being run by some subset of the malicious actors who ran the GOZeuS botnet disrupted by law enforcement about five weeks ago.

This new variant, revealed by Malcovery on Thursday, has disbanded the peer-to-peer command-and-control infrastructure that's made previous botnets like the original Gameover ZeuS particularly resilient. P2P has been replaced with fast-flux hosting, using a domain generation algorithm (DGA) similar to the original GOZeuS's backup mechanism for when P2P didn't work.

Further, according to Sophos, the new malware doesn't make use of the Necurs rootkit. "This is an interesting move, as the rootkit was introduced as a way of making removal more difficult," Sophos said. "Without it, Gameover can be cleaned up simply deleting the .EXE file containing the malware and rebooting."

Why do researchers believe this new malware is a GOZeuS variant? Malcovery said it shares 90% of its code with GOZeuS. Sophos says:

Gameover has scrambled most of its text messages (

      strings

, in programming parlance) using a custom algorithm that has been the same since the source code to the original Zeus was leaked in 2011.
This algorithm and the string table is still present in this new version and we can see that the decrypted strings are the same as those in earlier Gameover variants.

The malware proliferates through spam proclaiming to include some sort of account information and containing a malicious PDF. Most of the currently compromised systems are in the US, India, and Singapore.

After infection, the malware attempts to connect with a command-and-control server -- either one of the fast-flux servers or an active domain in the list specified by the DGA, which generates 1,000 domains per day. "When the malware successfully contacts a live [C&C] server, the malware sends RSA-encrypted data using an HTTP POST request on TCP port 80," Dell SecureWorks reported. "The use of RSA ensures bots can communicate only with attacker-controlled assets."

Source: FBI
Source: FBI

According to Malcovery:

Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down". This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan...
Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan -- including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities.
This discovery indicates that the criminals responsible for GameOver's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.

Not everyone agrees that last month's efforts were a grand success, even though it seems to have delivered on its promise. As Andrew Conway, research analyst for Cloudmark, said in a comment to Krebs on Security:

Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective... For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network went down, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed. However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May...
Compare this with the recent Lecpetex takedown spearheaded by Facebook. In that case they identified the criminals and worked with law enforcement in Greece to make sure they were arrested. Lecpetex was nowhere near as big as GOZ, but now it is gone for good. Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.