The Gameover Trojan program is back
Cybercriminals are trying to ressurect the recently disrupted Gameover Zeus botnet, researchers say
IDG News Service - Cybercriminals are trying to create a new botnet based on what is likely a modification of Gameover Zeus, a sophisticated Trojan program whose command-and-control infrastructure was taken over by law enforcement agencies at the beginning of June.
The Gameover Zeus malware is designed to steal log-in credentials, as well as personal and financial information from users when they access banking and other popular websites.
According to the U.S. Federal Bureau of Investigation, which took part in the Gameover botnet takedown, the Trojan program infected more than a million computers globally and led to losses of over US$100 million.
Disrupting the original botnet required special techniques and the assistance of security vendors, because unlike most Trojan programs, which use a limited number of servers and domain names for command and control, Gameover had a peer-to-peer architecture that didn't offer a single point of failure and allowed infected computers to update each other.
The malware also had a backup mechanism that relied on a domain name generation algorithm (DGA) to ensure that computers can receive commands even when they got disconnected from the peer-to-peer network. Through this mechanism the malware generated random-looking domain names at certain time intervals and tried to access them. Attackers were able to predict which domain names the bots will generate on a certain day, and could register one of those domains in advance to issue commands.
On Thursday, more than a month after the takedown, researchers from Malcovery Security spotted several email spam campaigns distributing a Trojan program that appears to be heavily based on the Gameover Zeus binary. The modification no longer relies on a peer-to-peer infrastructure and uses a DGA as the primary command-and-control mechanism.
"Malcovery analysts confirmed with the FBI and Dell SecureWorks that the original GameOver Zeus is still 'locked down'," the Malcovery researchers said Thursday in a blog post. "This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that Trojan."
In addition to the DGA similarity, the list of URLs and strings used by the new Trojan program to decide what sites to target matches the one used by the old Gameover botnet.
"This discovery indicates that the criminals responsible for GameOver's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history," the Malcovery researchers said.
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Malware and Vulnerabilities White Papers | Webcasts