In early June the U.S. Department of Justice revealed that the Gameover Zeus (GOZ) botnet had been disabled thanks to the success of a joint effort dubbed “Operation Tovar.” The celebration appears to have been premature, though, as security researchers have already discovered a resurgence of Gameover malware infections.
While the Gameover botnet has lain dormant since the takedown, a new massive spam campaign has Sophos Labs researcher James Wyke concerned the threat has returned. A blog post reveals details of why it seems to be part of the same malware family.
According to Wyke, the new threat is being spread via spam intended to look like an account statement. The message body claims the recipient’s statement for some random account number with Cards Online is now available and indicates that more information is in the attached file.
The new messages are scrambled using the algorithm and string table that has been the same since the original Zeus source code was leaked in 2011. Some of the more sophisticated elements of previous Gameover variants—most notably the Necurs rootkit—have been removed, however. Wyke theorizes that the attackers traded the sophistication of the rootkit in favor of simplifying the attack and making it easier to remove the malware and leave no trace.
Another change is in how the botnet communicates and receives its malicious instructions. GOZ used a peer-to-peer (P2P) communication method with no central command-and-control servers. The new variant foregoes the P2P method and uses a domain generation algorithm (DGA) instead. The DGA can generate up to 1,000 domains per day, and the malware seems to be designed to wait until the last possible minute to register the domains in order to evade detection and thwart efforts to blacklist or shut down the malicious domains.
Wyke is unsure whether this resurgence is the work of members of the original GOZ team—who managed to avoid arrest—or a result of new malware developers acquiring and building on the source code of the original.
It remains to be seen if this new Gameover campaign will be as successful as its predecessor or if it will fizzle out as a result of changing key elements that contributed to the success of the previous version. Sophos products block the new variant explicitly as Troj/HkMain-AQ and also provide proactive detection against the Gameover family as Mal/Zbot-HX, HPmal/Zbot-C, and HPmal/Zbot-F.