Malcovery identified a new trojan based heavily on the GameOver Zeus binary. It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed. Cyber criminals are tried to revive sophisticated money-stealing software called Gameover Zeus, researchers are warned of new threats that use much of the same code and are aimed at UK users.
The original strains targeted by police forces across the world, including the National Crime Agency and the FBI, have been in decline.
The malware began to make attempts to contact certain websites in accordance with a domain generation algorithm. The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware.
Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing.
Sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information “webinject” files from the server.
The Domain Generation Algorithm is a method for a criminal to regain access to his botnet. Based on the current date, random-looking domain names are calculated and the malware reaches out via the Internet to see if that domain exists.
Malcovery analysts confirmed with the FBI and Dell Secure Works that the original GameOver Zeus is still "locked down".
This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy.
The original GameOver Zeus, the domain generation algorithm and its associated command and control resources serves the botnet as a fallback to the peer-to-peer botnet which serves as this malware’s primary means of distributing instructions to infected machines.
Using the websites associated with the domain generation algorithm the GameOver botnet operators may distribute commands to infected machines with which the peer-to-peer botnet has lost contact.
The binary that is dropped and injected into Internet Explorer after contacting the C&C is randomly named. The version seen this afternoon is currently detected by 8 of 54 AV products at VirusTotal, though others may detect it using non-signature based methods.
This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
