Attacks/Breaches
7/14/2014
05:25 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

New GameoverZeuS Variant Found In The Wild

A new botnet abandons peer-to-peer communication and may or may not be operated by the one disrupted by Operation Tovar last month.

There's a new variant of Gameover ZeuS (GOZeuS) in the wild, but it is a simpler version stripped of some of its most sophisticated components. It is unclear whether it is being run by some subset of the malicious actors who ran the GOZeuS botnet disrupted by law enforcement about five weeks ago.

This new variant, revealed by Malcovery on Thursday, has disbanded the peer-to-peer command-and-control infrastructure that's made previous botnets like the original Gameover ZeuS particularly resilient. P2P has been replaced with fast-flux hosting, using a domain generation algorithm (DGA) similar to the original GOZeuS's backup mechanism for when P2P didn't work.

Further, according to Sophos, the new malware doesn't make use of the Necurs rootkit. "This is an interesting move, as the rootkit was introduced as a way of making removal more difficult," Sophos said. "Without it, Gameover can be cleaned up simply deleting the .EXE file containing the malware and rebooting."

Why do researchers believe this new malware is a GOZeuS variant? Malcovery said it shares 90% of its code with GOZeuS. Sophos says:

Gameover has scrambled most of its text messages (

      strings

, in programming parlance) using a custom algorithm that has been the same since the source code to the original Zeus was leaked in 2011.
This algorithm and the string table is still present in this new version and we can see that the decrypted strings are the same as those in earlier Gameover variants.

The malware proliferates through spam proclaiming to include some sort of account information and containing a malicious PDF. Most of the currently compromised systems are in the US, India, and Singapore.

After infection, the malware attempts to connect with a command-and-control server -- either one of the fast-flux servers or an active domain in the list specified by the DGA, which generates 1,000 domains per day. "When the malware successfully contacts a live [C&C] server, the malware sends RSA-encrypted data using an HTTP POST request on TCP port 80," Dell SecureWorks reported. "The use of RSA ensures bots can communicate only with attacker-controlled assets."

Source: FBI
Source: FBI

According to Malcovery:

Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down". This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan...
Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan -- including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities.
This discovery indicates that the criminals responsible for GameOver's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.

Not everyone agrees that last month's efforts were a grand success, even though it seems to have delivered on its promise. As Andrew Conway, research analyst for Cloudmark, said in a comment to Krebs on Security:

Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective... For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network went down, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed. However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May...
Compare this with the recent Lecpetex takedown spearheaded by Facebook. In that case they identified the criminals and worked with law enforcement in Greece to make sure they were arrested. Lecpetex was nowhere near as big as GOZ, but now it is gone for good. Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns.

Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0103
Published: 2014-07-29
WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files.

CVE-2014-0475
Published: 2014-07-29
Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable.

CVE-2014-0889
Published: 2014-07-29
Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote atta...

CVE-2014-2226
Published: 2014-07-29
Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors.

CVE-2014-3020
Published: 2014-07-29
install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program.

Best of the Web
Dark Reading Radio