Cyber criminals are trying to create a new botnet based on what is likely a modification of Gameover Zeus, a sophisticated Trojan program whose command-and-control infrastructure was taken over by law enforcement agencies at the beginning of June.
The Gameover Zeus malware is designed to steal log-in credentials, as well as personal and financial information from users when they access banking and other popular websites.
According to the U.S. Federal Bureau of Investigation, which took part in the Gameover botnet takedown, the Trojan program infected more than a million computers globally and led to losses of over US$100 million.
Disrupting the original botnet required special techniques and the assistance of security vendors, because unlike most Trojan programs, which use a limited number of servers and domain names for command and control, Gameover had a peer-to-peer architecture that didn’t offer a single point of failure and allowed infected computers to update each other.
The malware also had a backup mechanism that relied on a domain name generation algorithm (DGA) to ensure that computers can receive commands even when they got disconnected from the peer-to-peer network. Through this mechanism, the malware generated random-looking domain names at certain time intervals and tried to access them. Attackers were able to predict which domain names the bots will generate on a certain day, and could register one of those domains in advance to issue commands.
On Thursday, more than a month after the takedown, researchers from Malcovery Security spotted several email spam campaigns distributing a Trojan program that appears to be heavily based on the Gameover Zeus binary. The modification no longer relies on a peer-to-peer infrastructure and uses a DGA as the primary command-and-control mechanism.
“Malcovery analysts confirmed with the FBI and Dell SecureWorks that the original GameOver Zeus is still ‘locked down’,” the Malcovery researchers said Thursday in a blog post. “This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that Trojan.”
In addition to the DGA similarity, the list of URLs and strings used by the new Trojan program to decide what sites to target matches the one used by the old Gameover botnet.
“This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history,” the Malcovery researchers said.