There's a new variant of Gameover ZeuS (GOZeuS) in the wild, but it is a simpler version stripped of some of its most sophisticated components. It is unclear whether it is being run by some subset of the malicious actors who ran the GOZeuS botnet disrupted by law enforcement about five weeks ago.
This new variant, revealed by Malcovery on Thursday, has disbanded the peer-to-peer command-and-control infrastructure that's made previous botnets like the original Gameover ZeuS particularly resilient. P2P has been replaced with fast-flux hosting, using a domain generation algorithm (DGA) similar to the original GOZeuS's backup mechanism for when P2P didn't work.
Further, according to Sophos, the new malware doesn't make use of the Necurs rootkit. "This is an interesting move, as the rootkit was introduced as a way of making removal more difficult," Sophos said. "Without it, Gameover can be cleaned up simply deleting the .EXE file containing the malware and rebooting."
Why do researchers believe this new malware is a GOZeuS variant? Malcovery said it shares 90% of its code with GOZeuS. Sophos says:
Gameover has scrambled most of its text messages (
, in programming parlance) using a custom algorithm that has been the same since the source code to the original Zeus was leaked in 2011.
This algorithm and the string table is still present in this new version and we can see that the decrypted strings are the same as those in earlier Gameover variants.
The malware proliferates through spam proclaiming to include some sort of account information and containing a malicious PDF. Most of the currently compromised systems are in the US, India, and Singapore.
After infection, the malware attempts to connect with a command-and-control server -- either one of the fast-flux servers or an active domain in the list specified by the DGA, which generates 1,000 domains per day. "When the malware successfully contacts a live [C&C] server, the malware sends RSA-encrypted data using an HTTP POST request on TCP port 80," Dell SecureWorks reported. "The use of RSA ensures bots can communicate only with attacker-controlled assets."
According to Malcovery:
Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down". This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan...
Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan -- including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities.
This discovery indicates that the criminals responsible for GameOver's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.
Not everyone agrees that last month's efforts were a grand success, even though it seems to have delivered on its promise. As Andrew Conway, research analyst for Cloudmark, said in a comment to Krebs on Security:
Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective... For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network went down, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed. However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May...
Compare this with the recent Lecpetex takedown spearheaded by Facebook. In that case they identified the criminals and worked with law enforcement in Greece to make sure they were arrested. Lecpetex was nowhere near as big as GOZ, but now it is gone for good. Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns.