Gameover Zeus Trojan Returns

After Takedown, Criminals Launch New Version, Botnet

By Mathew J. Schwartz, July 11, 2014.
  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
Gameover Zeus Trojan Returns
 

Gameover Zeus appears to have returned, just one month after an international law enforcement operation targeted the malware in a high-profile takedown operation.

See Also: Security Alerts: Identifying Noise vs. Signals

A new version of the banking Trojan was spotted July 10 by security firm Malcovery Security, which says the malware was being distributed via spam campaigns launched earlier that day, disguised as communications from Essentra, a packaging company, NatWest bank and M&T Bank. On July 10, only 10 out of 54 virus scanners at VirusTotal detected the malware. By July 11, however, 24 out of 54 anti-virus programs were detecting it.

"This discovery indicates that the criminals responsible for Gameover's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history," say Malcovery Security malware analyst Brendan Griffin and chief technology officer Gary Warner at in a blog post.

Indeed, the malware's resurgence follows "Operation Tovar," which was launched on May 30 by the U.S. Federal Bureau of Investigation, Europol and Britain's National Crime Agency. That operation disrupted the Gameover Zeus malware and the ransomware known as CryptoLocker. Authorities also filed an indictment against a Russian citizen accused of masterminding Gameover Zeus and CryptoLocker attacks, and launched high-profile public relations campaigns in an attempt to get consumers to identify and remediate infected devices.

Since then, security experts have been watching the cybercrime underground for signs that the malware might re-emerge, or that criminals might switch to less high-profile attack code (see "Banking Malware: New Challenger to Zeus?").

"It would have been wildly optimistic if any of us had believed that cybercriminals would roll onto their backs and give up because of the Gameover Zeus takedown," says independent computer security analyst Graham Cluley. "With their criminal income disrupted, they were inevitably going to try to find ways to still steal money from innocent computer users."

Malicious Infrastructure Reboot

Malcovery says it's confirmed with the FBI and Dell SecureWorks, which helped with the May 30 takedown, "that the original Gameover Zeus is still 'locked down.'" So it's no surprise that the new version of Gameover Zeus that's been detected is backed by a new malicious infrastructure, including fresh command-and-control servers.

"We see the bad actors trying to get around the court order," Warner says. He adds that since the newly spotted malware differs slightly from previously seen versions of Gameover Zeus, it's impossible to say if the same gang is involved. "Other researchers we shared it with today say it looks like there's a 90 percent chance it is the Gameover Zeus source code," he says. "It is the same base code - we don't know if it's the same individual - but there is so much similarity [that] they would have likely been working with the original attackers."

Fast-Flux Domains

The locked-down version of Gameover Zeus, which was first discovered in 2007, uses a peer-to-peer infrastructure to maintain contact with, receive instructions from, and exfiltrate data to its C&C servers. But the newly seen version of Gameover Zeus doesn't use P2P; instead, it uses a randomized domain generation algorithm, which launches about six to 10 minutes after a PC gets infected. "Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists," according to Malcovery's overview. If so, then the malware "phones home" to the correct C&C server.

Follow Mathew J. Schwartz on Twitter: @euroinfosec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE State Department, White House Hacks Linked

The hacking of the State Department's unclassified systems, revealed over the weekend, and a...

Latest Tweets and Mentions

ARTICLE State Department, White House Hacks Linked

The hacking of the State Department's unclassified systems, revealed over the weekend, and a...