After Takedown, GameOver Zeus Banking Trojan Returns Again

gameover-showcase_image-1-a-7237

A month after the FBI and Europol took down the GameOver Zeus botnet by seizing servers and disrupting the botnet’s operation, security researchers have unearthed a new variant of malware based explicitly on the same Gameover ZeuS that compromised users’ computers and collectively formed a massive botnet.

GAMEOVER ZEUS TROJAN
The massive botnet, essentially a collection of zombie computers, specifically was designed to steal banking passwords with the capability to perform Denial of Service (DoS) attacks on banks and other financial institutions in order to deny legitimate users access to the site, so that the thefts kept hidden from the users.
As a result of it, Gameover ZeuS’ developers have stolen more than $100 million from banks, businesses and consumers worldwide.
NEW GAMEOVER ZEUS TROJAN
On Thursday, security researchers at the security firm Malcovery came across a series of new spam campaigns that were distributing a piece of malware based on the Gameover Zeus code which is being distributed as an attachment to spam emails, masquerading as legitimate emails from financial institutions, including M&T Bank and NatWest.
Today Malcovery’s analysts identified a new trojan based heavily on the Gameover Zeus binary, the firm’s blog post read. “It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed.
ATTACK VECTOR
Malcovery has published a full disclosure and complete rundown of the botnet, which shows that all the malicious emails it sends to lure users contain a zip file with a .scr attachment inside. Once opened, the file uses to hack into zombie computers, and the threat is danger as many anti-virus solutions were not able to detect the malicious software.

Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a Domain Generation Algorithm (DGA). The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing,” the analysis of the malware by Brendan Griffin and Gary Warner of Malcovery says.

Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information ‘webinject’ files from the server.

This new Gameover Zeus botnet has a more robust implementation that makes it even more difficult to combat than the previous one.
As Malcovery writes, “this discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.
STATEMENT BY DEPARTMENT OF JUSTICE
On Friday, the Department of Justice released a statement saying that this new Gameover Zeus botnet was not linked with the botnet that it previously targeted.

The Justice Department reported that all or nearly all of the active computers infected with Gameover Zeus have been liberated from the criminals’ control and are now communicating exclusively with the substitute server established pursuant to court order,” the agency said.

The Justice Department also reported that traffic data from the substitute server shows that remediation efforts by Internet service providers and victims have reduced the number of computers infected with Gameover Zeus by 31 percent since the disruption commenced.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s