The Gamover Zeus takedown was a huge victory for government authorities against cybercriminal operations, as the financial malware reaped over $150 million dollars from the initial operations, with it’s large success it was bound to reappear.
Researchers as Seculert have identified a new Gamover Zeus variant that has altered past versions peer-to-peer communication infrastructure and has an updated domain generation algorithm (DGA).
The changes to the botnet have caused a notable amount of growth. Previous GameOver Zeus botnets were creating 1,000 domains per week in operations to infect users, the newest GameOver Zeus is generating 1,000 domains per day, Seculert’s Adi Raff said in a blog post.
Starting Early June, a number of companies worked in effort with the United States government, European Law enforcement agencies, and private companies such as Microsoft, Abuse.ch, CrowdStrike and more in effort to coordinate the seizure of servers used by the Gamover Zeus botnet and CryptoLocker ransomware.
The GameOver Zeus takedown was a struggle as the architecture was decentralized and the command-and-control (C&C) updates were sent between bots, rather than a single centralized server. As stated earlier, Gameover Zeus was responsible for hundreds of millions of dollars in finical fraud. Zeus banking Trojans are commonly known for reaping finical data from it’s users including banking credentials, credit card numbers, and trying to gain access to high profile institutions.
“Having previously sinkholed GameOver ZeuS, we are able to compare the number of bots communicating with our sinkhole prior to the takedown, and those of the new variant,” Raff wrote. “In the last few days we have seen a surge in the number of bots communicating with our sinkhole; reaching as high as almost 10,000 infected devices. We anticipate the communications traffic to level out over time to reflect pre-takedown amounts.”
Botnet takedowns have been largely successful in the past couple of years with the FBI, Eurpol, and software companies working together to help seize the servers and shut down large operations. Almost always, cybercriminals will bounce back with new command architectures and begin herding users into their botnet operations.
Researchers have related the quick rejuvenations of botnets to the Shylock banking malware which was taken down by the Eurpol, the FBI, and a number of tech companies on July 10. Shylock used man-in-the-browser attacks against a list of 60 known banking firms to steal credentials from the victims. Seculert said it was able to sinkhole Shylock only three days after the initial takedown, and reported that nearly 10,000 bots attempt to communicate with the sinkhole on a daily basis.
Raff said in the post that the quick regeneration of botnets is nothing new. After the Kelohis.B botnet was taken down in 2011, Seculert stated that 70,000 devices were still active in the operations days after the seizures occurred. The bots still remained active to command-and-control operations through other bots still infected. Kelohis.B was not inactive for long, the malware operators regained access to the sinkhole through a Facebook worm alongside gaining new bots.
“We are not questioning the takedowns or discouraging future ones. Rather we are curious as to the success criteria of these multinational operations. Is the goal of a takedown to cripple the malware or to kill it?” he wrote. “There is also the possibility that we could just be testing the limits of cybercriminals — challenging them to immediately innovate which could lead to continued escalations. It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger.”