If you've ever watched a horror movie, you know the trope where the hero seemingly kills the monster, but as soon as he turns his back to walk away the monster regains consciousness and attacks again with renewed vigor. According to the latest report from F-Secure, that's the sort of scenario we might be looking at with the Gameover Zeus botnet.
Gameover Zeus, or GOZ, is a massive botnet that was effectively knocked out of commission through a concerted multinational effort dubbed “Operation Tovar” involving the U.S. Department of Justice, law enforcement, foreign government agencies, and private security companies. The botnet was the driving force behind CryptoLocker ransomware, which encrypts all the data on the compromised system and demands a ransom payment from the user to purchase the decryption key.
But according to Sean Sullivan, security advisor for F-Secure Labs, All Operation Tovar did was cut off the head of the botnet. The takedown took out the command-and-control structure, but compromised machines remain compromised, and the broader threat is still out there.
“The botnet was disrupted but not completely destroyed," Sullivan says. "Its creator was not arrested, is still at large, and is currently building a new botnet to replace the old.”
The concern is that a new command-and-control structure could emerge and continue to leverage the millions of compromised systems. Sullivan also suggests that a future version of GOZ could include some form of “self-destruct” bomb that automatically encrypts or erases all data on compromised PCs in the event the system is unable to communicate with the command-and-control servers within a prescribed period of time.
Gameover Zeus is not the only thing in the F-Secure Threat Report. There are plenty of interesting details like 25 new Mac threat variants, the prevalence of Android malware threats, and the fact that a significant percentage of threats appear to be web-based attacks. Download the F-Secure Threat Report H1 2014 yourself to dive into the details. For more information, you can also watch the F-Secure Labs Threat Report Google Hangouts recording.