The value of law enforcement takedowns of major malware has been questioned after security firm Seculert said some activity around the Gameover Zeus Trojan is seven times higher now than it was before the recent joint FBI, Europol and NCA ‘Operation Tovar' action against it.
Seculert research lab manager Adi Raff said in a 31 July post that before the takedown, Gameover was generating 1,000 new domains per week. Now it is generating 1,000 domains per day.
Operation Tovar, which also hit the Cryptolocker ransomware, was launched in late May and users were warned then it might only keep Gameover in check for two weeks. In fact it took until 10 July before Malcovery announced it had seen a new variant that commanded its botnet network using a new domain name algorithm (DGA) method rather than a peer-to-peer approach.
In its blog this week, Seculert said that, having sinkholed Gameover, it could compare activity before the takedown and around the new variant. Raff said: “In the last few days we have seen a surge in the number of bots communicating with our sinkhole, reaching as high as almost 10,000 infected devices.”
He added: “We anticipate the communications traffic to level out over time to reflect pre-takedown amounts.”
Raff commended Operation Tovar and similar action against the Shylock banking Trojan, in which the UK's NCA was a key player, saying: “We at Seculert do not discount the tremendous efforts behind these takedowns.”
But he said: “We are curious as to the success criteria of these multinational operations. Is the goal of a takedown to cripple the malware or to kill it?
“There is also the possibility that we could just be testing the limits of cybercriminals — challenging them to immediately innovate which could lead to continued escalations.
“It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger.”