05:25 PM
Connect Directly

New GameoverZeuS Variant Found In The Wild

A new botnet abandons peer-to-peer communication and may or may not be operated by the one disrupted by Operation Tovar last month.

There's a new variant of Gameover ZeuS (GOZeuS) in the wild, but it is a simpler version stripped of some of its most sophisticated components. It is unclear whether it is being run by some subset of the malicious actors who ran the GOZeuS botnet disrupted by law enforcement about five weeks ago.

This new variant, revealed by Malcovery on Thursday, has disbanded the peer-to-peer command-and-control infrastructure that's made previous botnets like the original Gameover ZeuS particularly resilient. P2P has been replaced with fast-flux hosting, using a domain generation algorithm (DGA) similar to the original GOZeuS's backup mechanism for when P2P didn't work.

Further, according to Sophos, the new malware doesn't make use of the Necurs rootkit. "This is an interesting move, as the rootkit was introduced as a way of making removal more difficult," Sophos said. "Without it, Gameover can be cleaned up simply deleting the .EXE file containing the malware and rebooting."

Why do researchers believe this new malware is a GOZeuS variant? Malcovery said it shares 90% of its code with GOZeuS. Sophos says:

Gameover has scrambled most of its text messages (


, in programming parlance) using a custom algorithm that has been the same since the source code to the original Zeus was leaked in 2011.
This algorithm and the string table is still present in this new version and we can see that the decrypted strings are the same as those in earlier Gameover variants.

The malware proliferates through spam proclaiming to include some sort of account information and containing a malicious PDF. Most of the currently compromised systems are in the US, India, and Singapore.

After infection, the malware attempts to connect with a command-and-control server -- either one of the fast-flux servers or an active domain in the list specified by the DGA, which generates 1,000 domains per day. "When the malware successfully contacts a live [C&C] server, the malware sends RSA-encrypted data using an HTTP POST request on TCP port 80," Dell SecureWorks reported. "The use of RSA ensures bots can communicate only with attacker-controlled assets."

Source: FBI
Source: FBI

According to Malcovery:

Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down". This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan...
Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan -- including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities.
This discovery indicates that the criminals responsible for GameOver's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.

Not everyone agrees that last month's efforts were a grand success, even though it seems to have delivered on its promise. As Andrew Conway, research analyst for Cloudmark, said in a comment to Krebs on Security:

Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective... For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network went down, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed. However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May...
Compare this with the recent Lecpetex takedown spearheaded by Facebook. In that case they identified the criminals and worked with law enforcement in Greece to make sure they were arrested. Lecpetex was nowhere near as big as GOZ, but now it is gone for good. Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio