Gameover Zeus Trojan Returns After Takedown, Criminals Launch New Version, Botnet

Gameover Zeus appears to have returned, just one month after an international law enforcement operation targeted the malware in a high-profile takedown operation.

See Also: Software Defined Security: Navigating the New Security Model

A new version of the banking Trojan was spotted July 10 by security firm Malcovery Security, which says the malware was being distributed via spam campaigns launched earlier that day, disguised as communications from Essentra, a packaging company, NatWest bank and M&T Bank. On July 10, only 10 out of 54 virus scanners at VirusTotal detected the malware. By July 11, however, 24 out of 54 anti-virus programs were detecting it.

"This discovery indicates that the criminals responsible for Gameover's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history," say Malcovery Security malware analyst Brendan Griffin and chief technology officer Gary Warner at in a blog post.

Indeed, the malware's resurgence follows "Operation Tovar," which was launched on May 30 by the U.S. Federal Bureau of Investigation, Europol and Britain's National Crime Agency. That operation disrupted the Gameover Zeus malware and the ransomware known as CryptoLocker. Authorities also filed an indictment against a Russian citizen accused of masterminding Gameover Zeus and CryptoLocker attacks, and launched high-profile public relations campaigns in an attempt to get consumers to identify and remediate infected devices.

Since then, security experts have been watching the cybercrime underground for signs that the malware might re-emerge, or that criminals might switch to less high-profile attack code (see "Banking Malware: New Challenger to Zeus?").

"It would have been wildly optimistic if any of us had believed that cybercriminals would roll onto their backs and give up because of the Gameover Zeus takedown," says independent computer security analyst Graham Cluley. "With their criminal income disrupted, they were inevitably going to try to find ways to still steal money from innocent computer users."

Malicious Infrastructure Reboot

Malcovery says it's confirmed with the FBI and Dell SecureWorks, which helped with the May 30 takedown, "that the original Gameover Zeus is still 'locked down.'" So it's no surprise that the new version of Gameover Zeus that's been detected is backed by a new malicious infrastructure, including fresh command-and-control servers.

"We see the bad actors trying to get around the court order," Warner says. He adds that since the newly spotted malware differs slightly from previously seen versions of Gameover Zeus, it's impossible to say if the same gang is involved. "Other researchers we shared it with today say it looks like there's a 90 percent chance it is the Gameover Zeus source code," he says. "It is the same base code - we don't know if it's the same individual - but there is so much similarity [that] they would have likely been working with the original attackers."

Fast-Flux Domains

The locked-down version of Gameover Zeus, which was first discovered in 2007, uses a peer-to-peer infrastructure to maintain contact with, receive instructions from, and exfiltrate data to its C&C servers. But the newly seen version of Gameover Zeus doesn't use P2P; instead, it uses a randomized domain generation algorithm, which launches about six to 10 minutes after a PC gets infected. "Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists," according to Malcovery's overview. If so, then the malware "phones home" to the correct C&C server.

The communications protocol in the newly discovered versions also differs from before, because it uses fast flux, in which attackers program the malware to generate just a few domain names per day, but rapidly swap out the IP addresses associated with those domain names. This approach helps attackers bypass IP-based blacklists, as well as redirect C&C communications via multiple proxy servers to better disguise their activities. "In this one, it looks like they are using fast-flux - only three domains for the day - but each one is floating around literally hundreds of IP addresses," Warner says.

Knowledge of the malware's domain-generation behavior could now be used to shut down botnet communications, should the world's global domain name players decide to get tough. "There are implications for the ICANN community: how is it that people register these ridiculous domains?" Warner asks. For example, the malware on July 10 generated the domain "cfs50p1je5ljdfs3p7n17odtuw.biz," registered via "TodayNIC.com" in China. "We may start seeing some self-policing in the registrar community," he says. "We all can even say by looking at it that it's a malware domain. What can we do to stop this?" (See Stop Breaches? Improve Internet Hygiene.)

Web Injection Attacks

Despite the new version of the malware using a different domain-generation algorithm approach, once an infected, or zombie, PC connects with the C&C server, the resulting activity looks like a classic Gameover Zeus infection. "Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the Gameover Trojan - including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities," Malcovery says.

After downloading the Web injection capabilities, Gameover Zeus can hook into Windows processes, gain direct access to raw HTTP data, and manipulate online banking screens to disguise malicious activities, such as the malware draining people's banking accounts. According to the FBI, for example, one unnamed Florida bank lost almost $7 million in a single fraudulent wire transfer initiated via a Gameover infection.

With potential fraud hauls like that, it's unlikely Gameover Zeus will go away anytime soon. "Time will tell if new versions of the malware will be as successful as those that have gone before it - we can only hope that users are getting smarter about protecting their computers," Cluley says.

(Executive Editor Tracy Kitten contributed to this story.)


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.





Around the Network