Gameover Zeus Botnet Reanimated By Cyber Criminals
July 14, 2014

Gameover Zeus Botnet Reanimated By Cyber Criminals

Peter Suciu for - Your Universe Online

Security researchers have warned that cyber criminals have begun to resurrect the Gameover Zeus botnet. This attempt to reanimate the botnet, which is essentially a collection of zombie computers that can be activated to perform denial of service (DoS) attacks on banks and other financial organizations, reportedly began even as malware experts had been dismantling the previous version of the network.

In early June the United States Department of Justice (DOJ) announced that it had taken the lead in a multinational action against the botnet and the accompanying "cryptolocker" ransomware.

According to Malcovery Security, the Gameover Zeus botnet was one of the most significant online threats in operation for stealing private data from victims and propagating other types of dangerous malware. The programs have infected hundreds of thousands of computers around the world and have generated losses that exceed $100 million. When the botnet was dismantled the security experts even expressed surprise that its makers didn't put up a fight to keep it alive.

Apparently its creators were thinking like mad scientists and planned to reanimate the beast all along.

On Monday Krebs On Security reported that Malcovery Security began noticing spam that was "blasted out with phishing lures that included zip files booby-trapped with malware." This lead the discovery by the researchers that this malware shares about 90 percent of code based on Gameover Zeus.

Krebs added that part of what made the original botnet so difficult to shut down was that it relied on advanced peer-to-peer (P2P) mechanisms to control and update its bot-infected systems. This new malware is not technically Gameover Zeus, but rather a reanimated version utilizing much of the same code.

"Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still 'locked down.' This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy," Malcovery's Brendan Griffin and Gary Warner posted on its official blog last week.

What this means is that this new variant was also stripped of the P2P code, but was designed to rely on an approach known as fast-flux hosting, which according to Krebs allows the botnet to hide phishing and malware delivery sites behind what is an ever-changing network of compromised systems that act as proxies. This could also mean that the new reanimated version of Gameover Zeus could be more resilient to takedowns.

Moreover, this variant was apparently designed to include a domain name generation algorithm (DGA), which has been described as akin to a botnet "failsafe" that could be invoked if the botnet's normal communication systems fails. It works by creating a constantly-changing list of domain names each week.

This means that the botnets creators are truly looking to reanimate its zombie network and wont' go down without a fight.

Malcovery's Warner added, "This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history."