It didn’t take long for an updated version of GameOver Zeus to make some headway in rebuilding itself.
Research published today from Arbor Networks demonstrates that cybercriminals behind GameOver Zeus, which was taken down by law enforcement in early June, have renewed the botnet with at least 12,353 unique IP addresses worldwide. Arbor’s numbers come from five sinkholes it manages, and data collected periodically between July 18 and July 29.
“The steady growth of newGOZ demonstrates the resilience of the attackers to keep their botnet active,” said Dave Loftus, security analyst at Arbor Networks. “While previous efforts to disrupt the botnet have been successful, these disruptions are usually only temporary. Until law enforcement can successfully prosecute the individuals behind the botnet, we expect the growth of newGOZ to continue well into the future.”
The takedown, coordinated between the FBI and Europol, involved the seizure of servers and domains that disrupted not only GameOver Zeus but authorities said the same botnet was used to distribute CryptoLocker ransomware.
GameOver Zeus is an offshoot of the virulent Zeus banking Trojan. Unlike it’s big brother. GameOver until recently used a decentralized peer to peer architecture making it a challenge to disrupt. In a P2P architecture, commands are send to and from individual bots rather than from a command and control server.
GameOver Zeus, like other banking malware, is used in fraud schemes and to steal banking credentials from its victims’ computers. Shortly after the takedown, researchers at Seculert spotted the newGOZ variant which abandoned peer-to-peer communication for an updated domain generation algorithm. The DGA quickly ramped up new bots from 1,000 a week, to 1,000 a day on average, according to CTO Aviv Raff.
“It uses a domain generation algorithm and a technique known as fast-fluxing to check into the criminal infrastructure. Since this DGA takes the current date and a randomly selected starting seed to create a domain name, we can predict which domains will be used in the future. With this in mind, we were able to register the domains before the attackers did, which allowed us to redirect the malware traffic to our servers to track the growth of the botnet,” Loftus said. “Once the domains were registered, the newGOZ infections checked into our servers as we expected. We were able to log the unique number of IP addresses associated with the infections and determine the locations that have been hit the hardest.”
Loftus says this gang is definitely in a rebuild mode.
“Our sinkhole data reinforces steady growth of new Gameover Zeus since we started tracking the botnet,” Loftus said. Researchers at Malcovery said in mid-July that the Cutwail botnet began distributing newGOZ via spam campaigns. “Our sinkhole data provides a first look at how successful these spam campaigns have been. Between July 21-25, we observed a 1,879 percent increase, confirming that the cybercriminals are actively rebuilding their botnet from scratch.”
Most of the victims are in the United States and India, with Internet service providers, telecommunications and education markets providing the most victims.
“Each botnet topology has advantages and disadvantages when we consider the ease of criminals building them and their resiliency against take downs. Centralized botnets are the most simple to build, but they’re also the most vulnerable. If the command & control infrastructure is disrupted, the cybercriminals generally lose control of the botnet,” Loftus said. “P2P botnets add more complexity and usually take longer to engineer, but help withstand disruptions. With P2P botnets, every infection is a potential Command & Control. In the case of newGOZ, the malware no longer utilizes the P2P functionality, but generates a series of domain names using the current date and a random seed and utilizes fast-fluxing to check into the criminal infrastructure. By using this method, the botnet operators are quickly rebuilding their botnet from scratch.”