Incident Response, Malware, TDR

Two new Gameover Zeus variants in the wild

Just two months after international law enforcement and security companies teamed to dismantle the Gameover Zeus botnet, researchers have found two new variants of the malware in the wild.

According to Bitdefender Labs, both variants use a domain-generation algorithm (DGA), an obfuscation technique employed by the earlier versions of financial malware Gameover.

One of the variants making use of DGA has primarily impacted users in the U.S., where nearly 5,000 machines appear to be calling back to the botnet's control hub, a Wednesday blog post by Bitdefender said. The other variant has mainly affected users in Ukraine (1,854 machines) and Belarus (1,192 machines).

DGA is a method that allows infected machines to generate a list of domain names for control hub communication and, therefore, conceal the botnet's infrastructure. Bitdefender tracked the infections after sinkholing five domains for five days for each of the botnets, the post said.

On Monday, Bogdan Botezatu, senior e-threat analyst at Bitdefender, told SCMagazine.com that the “very quick” resurgence of Gameover could be even more widespread than current figures imply.

“This is only a relatively small percent of what's happening, because I'm not sure that all [infected] computers have been powered on in the meantime to get the chance to connect to our sinkhole,” Botezatu said. “When you are sinkholing domains you are just seeing computers that are trying to connect to the command-and-control center.”

Currently, it appears that the Gameover operators are doing quality assurance tasks, before engaging the botnet to carry out malicious activity like stealing banking credentials or spreading other malware, he said.

In June, the federal prosecutors unsealed a 14-count indictment against the suspected botnet administrator, Evgeniy Bogachev, accused of distributing Cryptolocker ransomware via the Gameover infrastructure.

“Even if [attackers] are not doing e-banking fraud, they can still use it to upload other things…it was the preferred mechanism to deliver Cryptolocker,” Botezatu added.

The news from Bitdefender comes after other criminals reportedly attempted to revive the Gameover Zeus botnet. Last month, researchers with Malcovery identified a new piece of malware based closely on the Gameover Zeus code, which was being delivered through phishing emails claiming to be from legitimate banks. That variant also used a new DGA list in an attempt to hide its communications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.