Attacks/Breaches
7/14/2014
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

New GameoverZeuS Variant Found In The Wild

A new botnet abandons peer-to-peer communication and may or may not be operated by the one disrupted by Operation Tovar last month.

There's a new variant of Gameover ZeuS (GOZeuS) in the wild, but it is a simpler version stripped of some of its most sophisticated components. It is unclear whether it is being run by some subset of the malicious actors who ran the GOZeuS botnet disrupted by law enforcement about five weeks ago.

This new variant, revealed by Malcovery on Thursday, has disbanded the peer-to-peer command-and-control infrastructure that's made previous botnets like the original Gameover ZeuS particularly resilient. P2P has been replaced with fast-flux hosting, using a domain generation algorithm (DGA) similar to the original GOZeuS's backup mechanism for when P2P didn't work.

Further, according to Sophos, the new malware doesn't make use of the Necurs rootkit. "This is an interesting move, as the rootkit was introduced as a way of making removal more difficult," Sophos said. "Without it, Gameover can be cleaned up simply deleting the .EXE file containing the malware and rebooting."

Why do researchers believe this new malware is a GOZeuS variant? Malcovery said it shares 90% of its code with GOZeuS. Sophos says:

Gameover has scrambled most of its text messages (

      strings

, in programming parlance) using a custom algorithm that has been the same since the source code to the original Zeus was leaked in 2011.
This algorithm and the string table is still present in this new version and we can see that the decrypted strings are the same as those in earlier Gameover variants.

The malware proliferates through spam proclaiming to include some sort of account information and containing a malicious PDF. Most of the currently compromised systems are in the US, India, and Singapore.

After infection, the malware attempts to connect with a command-and-control server -- either one of the fast-flux servers or an active domain in the list specified by the DGA, which generates 1,000 domains per day. "When the malware successfully contacts a live [C&C] server, the malware sends RSA-encrypted data using an HTTP POST request on TCP port 80," Dell SecureWorks reported. "The use of RSA ensures bots can communicate only with attacker-controlled assets."

Source: FBI
Source: FBI

According to Malcovery:

Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down". This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan...
Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan -- including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities.
This discovery indicates that the criminals responsible for GameOver's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.

Not everyone agrees that last month's efforts were a grand success, even though it seems to have delivered on its promise. As Andrew Conway, research analyst for Cloudmark, said in a comment to Krebs on Security:

Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective... For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network went down, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed. However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May...
Compare this with the recent Lecpetex takedown spearheaded by Facebook. In that case they identified the criminals and worked with law enforcement in Greece to make sure they were arrested. Lecpetex was nowhere near as big as GOZ, but now it is gone for good. Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.