Gameover Zeus Trojan Continues Resurgence

Malware Variants Steam Ahead After 'Operation Tovar' Takedown

By Mathew J. Schwartz, August 27, 2014.
Gameover Zeus Trojan Continues Resurgence

Nearly three months after the FBI, Europol and Britain's National Crime Agency launched "Operation Tovar" to successfully disrupt the botnet used to spread Gameover Zeus, the malware is making a global comeback.

See Also: CEO Bob Carr on EMV & Payments Security

The first Gameover Zeus resurgence warnings began July 10, when security experts spotted an apparent variant of the malware that was being distributed in a spam e-mail campaign (see Gameover Zeus Trojan Returns). Since then, however, the malware has continued to pick up steam.

Gameover Zeus is a Trojan designed to steal banking and other personal credentials from infected PCs. At the time of the May law enforcement takedown, the FBI estimated that between 500,000 and 1 million PCs worldwide - one-quarter of them in the United States - were infected by the malware, which the bureau says was used to steal more than $100 million.

The resurgence of the malware is a reminder that banks must watch for signs of infection on customers' PCs, as well as use fraud analytics to help spot, and block, any unusual access patterns or transaction behavior.

Brian Foster, CTO of security firm Damballa, notes in a blog post: "Over the last couple of months, Damballa observed new GoZ variants testing the waters. Initially, there was a small set of victims but that has changed in recent weeks. The number of victims is climbing but nowhere near previous levels observed with GoZ."

Denmark-based Heimdal Security likewise reports a rise in infections tied to Gameover Zeus variants. "Whether that's because they're using the old infrastructure or it's just a rise in the new variants, we're not sure," says Morten Kjaersgaard, CEO of the company, which has been tracking the success of the Gameover Zeus takedown operation. But the infection rates are much lower than before the takedown. "We see this as a move by malware manufacturers, or e-crime organizations, so that rather than doing one big piece of malware such as Gameover Zeus, they're doing several small ones to evade detection."

Despite the rise in reported infections, however, "there isn't a 'flood' of new GoZ variants," says Sean Sullivan, security adviser for F-Secure Labs in Helsinki, Finland.

Domain Generation Algorithm

The previous version of Gameover Zeus used peer-to-peer techniques to connect infected PCs with the command-and-control, or C&C, servers from which they received instructions and sent exfiltrated data. For the new variants, however, attackers have dropped P2P in favor of a complex domain-generation algorithm, which the malware uses to reach a constantly changing list of C&C servers. "The malware has been designed to dynamically look up different domain names over time, as a way to evade a lot of the prevention tools that have come to market," Foster says. Such an approach helps it evade blacklists of known-bad names.

"One of the reasons that it might be changing to DGA is because ... once the peer-to-peer infrastructure was infiltrated by authorities ... it was relatively easy to see who was infected," Kjaersgaard says. "So using a DGA is a different mystery to try to unravel; I wouldn't say it is more difficult, but it is difficult."

Malware Targets U.S., Ukraine

Earlier this month, Romania-based anti-virus firm BitDefender reported seeing two new variants of Gameover Zeus. The first, which primarily targets U.S. users, generates 10,000 related domains per day, while the second, which mainly targets users in the Ukraine and Belarus, generates 1,000 domains per day.

But classifying something as a Zeus Gameover variant relies, in part, on semantics. "Depends on how you define it. The outer packaging makes for different samples but the source code that runs is the same variant - we haven't seen many modifications yet," says F-Secure's Sullivan.

Follow Mathew J. Schwartz on Twitter: @euroinfosec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Airport Raids Target Fraudsters

A massive international operation has resulted in the arrest of 118 people suspected of using...

Latest Tweets and Mentions

ARTICLE Airport Raids Target Fraudsters

A massive international operation has resulted in the arrest of 118 people suspected of using...

The ISMG Network