Cybercriminals have developed a new Trojan largely based on Gameover Zeus in an effort to revive the botnet that was recently disrupted by international authorities.
Gameover Zeus, the most active banking Trojan in 2013, caused losses of more than $100 million after infecting between 500,000 and 1 million computers worldwide. However, in early June, law enforcement agencies and private sector companies announced a successful operation against the botnet’s command and control (C&C) infrastructure.
On Thursday, Malcovery Security noticed three spam runs that were used to distribute the new piece of malware. The spam emails, some of them apparently coming from NatWest and M&T Bank, have been designed to trick recipients into opening a malicious .scr file contained in an archive.
Once executed, the malware uses a domain generation algorithm (DGA) to contact its C&C server. The domain names generated now are not related to the old Gameover Zeus, but according to experts, the DGA is very similar.
Another interesting aspect noted by researchers is that the new Trojan doesn’t use a Peer-to-Peer (P2P) infrastructure, like the old one, to make takedown efforts more difficult. Instead, it relies on a technique called Fast Flux, which involves an ever-changing network of compromised hosts that act as proxies in an effort to hide malware delivery and phishing websites.
“In the original GameOver Zeus, the domain generation algorithm and its associated command and control resources serves the botnet as a fallback to the peer-to-peer botnet which serves as this malware’s primary means of distributing instructions to infected machines. Using the websites associated with the domain generation algorithm the GameOver botnet operators may distribute commands to infected machines with which the peer-to-peer botnet has lost contact,” Malcovery’s Brendan Griffin and Gary Warner wrote in a blog post.
Around 7 hours after the spam runs were spotted, 10 of the 54 anti-virus engines present on VirusTotal detected the threat. However, Malcovery pointed out that the Trojan uses some mechanisms to evade sandboxes. For instance, it doesn’t run if it detects the presence of VMware Tools, and it takes between 6 and 10 minutes for the malware to randomly generate a domain name and download additional components.
The FBI and Dell SecureWorks confirmed for Malcovery that the original Gameover Zeus botnet has not been resurrected, but this new piece of malware is clear indication that the cybercriminals are not ready to give up.
“Malcovery was able to identify a number of the command-and-control hosts believed to be involved in this attempt to revive the GameOver botnet. Following contact with any of these hosts, the malware began to exhibit behaviors characteristic of the GameOver trojan—including the characteristic list of URLs and URL substrings targeted by the malware for Web injects, form-grabs, and other information stealing capabilities,” Griffin and Warner said. “This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”
The recent efforts to disrupt the Gameover Zeus botnet also impacted the notorious CryptoLocker ransomware by disrupting communications between infected hosts and the botnet. However, according to a report published by Bitdefender earlier in the week, while the ransomware is not currently active, its infrastructure is still up and running, and it’s used for other threats.
“Botnet takedowns, unless they involve putting the botmasters in jail, are not very effective,” Andrew Conway, Research Analyst at Cloudmark, told SecuritWeek.
Conway, who analyzed spam levels after the takedown, noticed an interesting trend.
“For two weeks after the takeover, the seven-day average spam volume detected by the Cloudmark Global Threat Network went down, and an increasing trend that we had seen in spam volumes through the previous couple of months has been reversed,” he said. “However, it then started to increase again, and by the end of the June was back to the levels we were seeing in late May.”
“For botmasters, newly infected machines are more valuable than machines that have been on the network for a while,” Conway explained. “There are new bank account credentials to capture, an IP address to send spam from that is not yet blacklisted, and the one-time bonus of ransomware installation. So, the value associated with a botnet depends on the rate of new infections and not the size. Taking down a botnet like GOZ did stop new infections for five whole weeks, but now that the botmasters have found a new way to spread the infection (probably renting time on some other botnet to send spam) they are back in business, and their earnings will soon be back up to previous levels.”
“Admittedly, it is hard to persuade law enforcement in Russia and the Ukraine to take action against cybercriminals who do not threaten their own citizens, but this is the only effective way to perform botnet takedowns,” Conway said.