Israel-based threat detection firm Seculert has been monitoring the effects of the recent Gameover Zeus and Shylock botnet takedown operations, and found that the cybercriminals have already taken steps to resurrect their campaigns.
The international operation against Gameover Zeus, which also disrupted the CryptoLocker ransomware, was announced on June 2 by the law enforcement agencies and private sector companies that contributed to the takedown. On July 11, the United States Department of Justice provided an update saying that the “technical and legal measures undertaken to disrupt Gameover Zeus and Cryptolocker have proven successful.”
However, at around the same time, Bitdefender reported that while CryptoLocker had not been active, its infrastructure was still being used by other threats. Furthermore, researchers from Malcovery Security identified a new Trojan largely based on Gameover Zeus that appeared to be part of cybercriminals’ efforts to resurrect the botnet.
Seculert has been monitoring the evolution of the Gameover Zeus botnet and confirms there is a new variant which doesn’t rely on a peer-to-peer (P2P) mechanism, like previous versions did. Furthermore, the new variant has a different domain generation algorithm (DGA) which is now generating 1,000 domains per day, unlike the previous variant which generated only 1,000 new domains per week.
Before the takedown, roughly 25,000 to 100,000 bots communicated with the security firm’s sinkhole every day. After the operation, the number has dropped significantly, but there have been signs of a comeback.
“In the last few days we have seen a surge in the number of bots communicating with our sinkhole; reaching as high as almost 10,000 infected devices. We anticipate the communications traffic to level out over time to reflect pre-takedown amounts,” Seculert CTO Aviv Raff explained in a blog post.
On July 10, several law enforcement agencies and cyber security companies announced seizing command and control servers and domains used by Shylock, a piece of financial malware that’s said to have infected at least 30,000 computers worldwide.
Seculert managed to sinkhole Shylock three days after the takedown operation was announced, and found that approximately 10,000 bots have been trying to communicate with the server every day.
Shylock and Gameover Zeus would not be the only botnets to make a comeback after a takedown operation. The Kelihos/Waledac botnet was disrupted twice in 2011 and 2012, yet the cybercriminals managed to resume their activities each time. One day after the second takedown, which took place in March 2012, Seculert identified over 70,000 devices still active in the botnet.
Seculert claims it’s not trying to question the success of these operations, but to identify the factors that determine their success. Since many of the campaigns against botnets only cripple the malware instead of completely killing it off, it’s possible that these efforts are only testing the limits of cybercriminals, Raff said.
“It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger,” the expert noted.