The GameOver Zeus takedown was trumpeted as a victory against cybercrime, and for all its success, even those involved understood it was likely a temporary win.
Researchers at Seculert have spotted a new variant of GameOver Zeus that has spurned previous versions’ peer-to-peer communication infrastructure and has an updated domain generation algorithm (DGA).
The changes and updates have exponentially hiked up the botnet’s numbers. Where previously, GameOver Zeus was generating 1,000 new domains weekly, this version is doing that number on a daily basis, Seculert’s Aviv Raff wrote in a blogpost today.
In early June, a cooperative effort between U.S. and European law enforcement and private companies such as Microsoft, Abuse.ch, CrowdStrike and others resulted in the seizure of servers used by the criminals behind the GameOver Zeus botnet, the same botnet used to distribute CryptoLocker ransomware.
GameOver Zeus was a challenge because of its decentralized architecture and command and control instructions and updates sent between bots, rather than from a single command server. At its height, the botnet was responsible for millions in financial fraud losses; a stepchild of the Zeus banking malware, it too coveted banking credentials in order to steal funds from online bank accounts.
“Having previously sinkholed GameOver ZeuS, we are able to compare the number of bots communicating with our sinkhole prior to the takedown, and those of the new variant,” Raff wrote. “In the last few days we have seen a surge in the number of bots communicating with our sinkhole; reaching as high as almost 10,000 infected devices. We anticipate the communications traffic to level out over time to reflect pre-takedown amounts.”
Botnet takedowns have been championed often in the past two years as success stories by the FBI, Europol and software companies most affected by botnets, such as Microsoft. Almost always, however, the criminals re-surface with a new command infrastructure and a rejuvenated zombie army of bots. For example, a little more than a month after the GameOver Zeus takedown, new spam campaigns were spotted distributing binaries built from GameOver Zeus under the guise of phony notifications from banks and other financial organizations.
Even Shylock, another strain of banking malware that was taken down on July 10 by Europol, the FBI, GCHQ and private firms including Kaspersky Lab, has resurfaced. Shylock used man-in-the-browser attacks against a list of 60 pre-determined banks to steal credentials from its victims. Seculert said today it was able to sinkhole Shylock three days after it was taken down and reports that nearly 10,000 bots reach out to the sinkhole on a daily basis.
Raff said the quick regeneration of botnets is nothing new. After Kelihos.B was taken down in 2011, Seculert said that 70,000 devices were still active in the botnet days after the seizures and communication between infected bots and command and control continued unabated. He wonders too whether takedowns are resulting in little more than a call to arms for attackers.
“We are not questioning the takedowns or discouraging future ones. Rather we are curious as to the success criteria of these multinational operations. Is the goal of a takedown to cripple the malware or to kill it?” he wrote. “There is also the possibility that we could just be testing the limits of cybercriminals — challenging them to immediately innovate which could lead to continued escalations. It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger.”