During the three weeks after Malcovery Security discovered a new Gameover Zeus variant known as newGOZ, infection rates from the mutation grew 1,879 percent, according to a blog post by researchers at Arbor Networks.
NewGOZ, which attackers use to steal banking credentials, differs from other variants in that the P2P command and control component has been removed “in favor of a new domain generation algorithm (DGA),” the blog post said.
“The DGA uses the current date and a randomly selected starting seed to create a domain name.” If the domain doesn’t work out, “the seed is incremented and the process is repeated,” the researchers wrote. “We’re aware of two configurations of this DGA which differ in two ways: the number of maximum domains to try (1000 and 10,000) and a hardcoded value used.”
Date-based DGAs are ideal targets for sinkholing because they are predictable. Security researchers can “estimate the size of the botnets that use them.”
The company analyzed data from five sinkholes during the last two weeks of July to ascertain the extent of the newGOZ threat. The first, at day four, saw 127 victims followed by an 89 percent increase to 241 victims, the blog post said.
A weekend uptick revealed 429 victims, a 78 percent increase, located primarily in the eastern U.S. Then, following a large spam campaign distributing newGOZ via the Cutwail botnet as reported by Malcovery, Arbor Networks saw the number of rise 1879 percent to 8,494 victims distributed throughout the U.S.
The final sinkhole during the period actually saw a 27 percent decrease to 6,173 victims. Researchers at Arbor Networks attributed the drop to “victims cleaning themselves up form [the] last spam campaign.”
According to the blog post, the security pros are mulling the future threat posed by newGOZ, specifically whether it will continue to use the same DGA configuration, what the growth rate may be and how long the threat actor will “focus on rebuilding their botnet before they return to focusing on stealing money.”
But they expect the variant to continue to expand its reach.
“Our data confirms that newGOZ is actively being distributed and is experiencing steady growth due to the ability of the attackers to keep the botnet operational,” Dave Loftus, ASERT security research analyst at Arbor Networks, told SCMagazine.com in an email correspondence. “There have been previous attempts to disrupt the botnet, but the interferences have only been temporary.”
He said newGOZ will likely “continue to proliferate until law enforcement is able to successfully identify and prosecute the attackers.”