Nearly three months after the FBI, Europol and Britain's National Crime Agency launched "Operation Tovar" to successfully disrupt the botnet used to spread Gameover Zeus, the malware is making a global comeback.
The first Gameover Zeus resurgence warnings began July 10, when security experts spotted an apparent variant of the malware that was being distributed in a spam e-mail campaign (see Gameover Zeus Trojan Returns). Since then, however, the malware has continued to pick up steam.
Gameover Zeus is a Trojan designed to steal banking and other personal credentials from infected PCs. At the time of the May law enforcement takedown, the FBI estimated that between 500,000 and 1 million PCs worldwide - one-quarter of them in the United States - were infected by the malware, which the bureau says was used to steal more than $100 million.
The resurgence of the malware is a reminder that banks must watch for signs of infection on customers' PCs, as well as use fraud analytics to help spot, and block, any unusual access patterns or transaction behavior.
Brian Foster, CTO of security firm Damballa, notes in a blog post: "Over the last couple of months, Damballa observed new GoZ variants testing the waters. Initially, there was a small set of victims but that has changed in recent weeks. The number of victims is climbing but nowhere near previous levels observed with GoZ."
Denmark-based Heimdal Security likewise reports a rise in infections tied to Gameover Zeus variants. "Whether that's because they're using the old infrastructure or it's just a rise in the new variants, we're not sure," says Morten Kjaersgaard, CEO of the company, which has been tracking the success of the Gameover Zeus takedown operation. But the infection rates are much lower than before the takedown. "We see this as a move by malware manufacturers, or e-crime organizations, so that rather than doing one big piece of malware such as Gameover Zeus, they're doing several small ones to evade detection."
Despite the rise in reported infections, however, "there isn't a 'flood' of new GoZ variants," says Sean Sullivan, security adviser for F-Secure Labs in Helsinki, Finland.
Domain Generation Algorithm
The previous version of Gameover Zeus used peer-to-peer techniques to connect infected PCs with the command-and-control, or C&C, servers from which they received instructions and sent exfiltrated data. For the new variants, however, attackers have dropped P2P in favor of a complex domain-generation algorithm, which the malware uses to reach a constantly changing list of C&C servers. "The malware has been designed to dynamically look up different domain names over time, as a way to evade a lot of the prevention tools that have come to market," Foster says. Such an approach helps it evade blacklists of known-bad names.
"One of the reasons that it might be changing to DGA is because ... once the peer-to-peer infrastructure was infiltrated by authorities ... it was relatively easy to see who was infected," Kjaersgaard says. "So using a DGA is a different mystery to try to unravel; I wouldn't say it is more difficult, but it is difficult."
Malware Targets U.S., Ukraine
Earlier this month, Romania-based anti-virus firm BitDefender reported seeing two new variants of Gameover Zeus. The first, which primarily targets U.S. users, generates 10,000 related domains per day, while the second, which mainly targets users in the Ukraine and Belarus, generates 1,000 domains per day.
But classifying something as a Zeus Gameover variant relies, in part, on semantics. "Depends on how you define it. The outer packaging makes for different samples but the source code that runs is the same variant - we haven't seen many modifications yet," says F-Secure's Sullivan.
Experts have been questioning just how long the law enforcement disruption of the Gameover Zeus gang's malicious infrastructure - C&C servers, as well as communication with infected PCs - might hold. Originally, authorities warned users that they likely had two weeks to clean Gameover Zeus and Cryptolocker off of their systems. But the disruption still appears to be holding - for now.
From a technical standpoint, the disruption wouldn't have put the attackers out of business. "Unfortunately, it's very easy for them to rebuild their infrastructure on new IP addresses and go get new domain names," says Damballa's Foster.
Or the attackers might find a way to make previously infected systems again phone home. "One of law enforcement's concerns was that the author could build a new botnet to hijack the old - still a possible concern, I'd say, as there are surely still infections of P2P GOZ in the wild," Sullivan says.
Attribution Remains Difficult
When authorities launched Operation Tovar, the U.S. Justice Department also announced a 14-count indictment against Russian citizen Evgeniy Mikhailovich Bogachev, a.k.a. Slavik, charging him with "conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as an administrator of the Gameover Zeus botnet." But for now, the indictment remains largely symbolic, since Bogachev remains at large - most likely still in Russia - which has no extradition treaty with the United States.
Furthermore, it's not completely clear that the new Gameover Zeus variants are the work of the same man. But there are some signs that this is the case.
"Our analyst most familiar w/ Gameover Zeus just took a look at the latest GoZ samples. His verdict: it's very clearly the work of Slavik," says Sullivan via Twitter. "And he also said he's glad Slavik didn't make GoZ's source code public ... it's enough of a headache dealing w/ Zeus 1.0 clones as is."
Indeed, Gameover Zeus is only one of many different types of Zeus financial malware being used by cybercriminals. Since the source code for Zeus leaked in 2011, variants of the malware have become common. As of Aug. 26, the Zeus Tracker service, which tracks known Zeus servers and offers related blocklists, counted 977 Zeus C&C servers and said only 40 percent of malware being generated by those Zeus botnets was being detected by antivirus engines.
"There's always plenty of 'Zeus' around," Sullivan says.