Security Experts:

Connect with us

Hi, what are you looking for?



New Trojan Used in Attempt to Resurrect Gameover Zeus Botnet

Cybercriminals have developed a new Trojan largely based on Gameover Zeus in an effort to revive the botnet that was recently disrupted by international authorities.

Cybercriminals have developed a new Trojan largely based on Gameover Zeus in an effort to revive the botnet that was recently disrupted by international authorities.

Gameover Zeus, the most active banking Trojan in 2013, caused losses of more than $100 million after infecting between 500,000 and 1 million computers worldwide. However, in early June, law enforcement agencies and private sector companies announced a successful operation against the botnet’s command and control (C&C) infrastructure.

On Thursday, Malcovery Security noticed three spam runs that were used to distribute the new piece of malware. The spam emails, some of them apparently coming from NatWest and M&T Bank, have been designed to trick recipients into opening a malicious .scr file contained in an archive.

Once executed, the malware uses a domain generation algorithm (DGA) to contact its C&C server. The domain names generated now are not related to the old Gameover Zeus, but according to experts, the DGA is very similar.

Another interesting aspect noted by researchers is that the new Trojan doesn’t use a Peer-to-Peer (P2P) infrastructure, like the old one, to make takedown efforts more difficult. Instead, it relies on a technique called Fast Flux, which involves an ever-changing network of compromised hosts that act as proxies in an effort to hide malware delivery and phishing websites.

“In the original GameOver Zeus, the domain generation algorithm and its associated command and control resources serves the botnet as a fallback to the peer-to-peer botnet which serves as this malware’s primary means of distributing instructions to infected machines. Using the websites associated with the domain generation algorithm the GameOver botnet operators may distribute commands to infected machines with which the peer-to-peer botnet has lost contact,” Malcovery’s Brendan Griffin and Gary Warner wrote in a blog post.

Around 7 hours after the spam runs were spotted, 10 of the 54 anti-virus engines present on VirusTotal detected the threat. However, Malcovery pointed out that the Trojan uses some mechanisms to evade sandboxes. For instance, it doesn’t run if it detects the presence of VMware Tools, and it takes between 6 and 10 minutes for the malware to randomly generate a domain name and download additional components.

The FBI and Dell SecureWorks confirmed for Malcovery that the original Gameover Zeus botnet has not been resurrected, but this new piece of malware is clear indication that the cybercriminals are not ready to give up.

“Malcovery was able to identify a number of the command-and-control hosts believed to be involved in this attempt to revive the GameOver botnet. Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan—including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities,” Griffin and Warner said. “This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”

The recent efforts to disrupt the Gameover Zeus botnet also impacted the notorious CryptoLocker ransomware by disrupting communications between infected hosts and the botnet. However, according to a report published by Bitdefender earlier in the week, while the ransomware is not currently active, its infrastructure is still up and running, and it’s used for other threats.

“Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective,” Andrew Conway, Research Analyst at Cloudmark, told SecuritWeek.

Conway, who analyzed spam levels after the takedown, noticed an interesting trend.

“For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network went down, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed,” he said. “However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May.”

“For botmasters, newly infected machines are more valuable than machines that have been on the network for a while,” Conway explained.  “There are new bank account credentials to capture, an IP address to send spam from that is not yet blacklisted, and the one-time bonus of ransomware installation. So, the value associated with a botnet depends on the rate of new infections and not the size. Taking down a botnet like GOZ did stop new infections for five whole weeks, but now that the botmasters have found a new way to spread the infection (probably renting time on some other botnet to send spam) they are back in business, and their earnings will soon be back up to previous levels.”

“Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns,” Conway said.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...