Gameover Trojan 'surges' after police takedown

News by Tim Ring

What constitutes winning in the fight against malware, and what's the value of a takedown ask commentators in the wake of Gameover Zeus' bounceback.

The value of law enforcement takedowns of major malware has been questioned after security firm Seculert said some activity around the Gameover Zeus Trojan is seven times higher now than it was before the recent joint FBI, Europol and NCA ‘Operation Tovar' action against it.

Seculert research lab manager Adi Raff said in a 31 July post that before the takedown, Gameover was generating 1,000 new domains per week. Now it is generating 1,000 domains per day.

Operation Tovar, which also hit the Cryptolocker ransomware, was launched in late May and users were warned then it might only keep Gameover in check for two weeks. In fact it took until 10 July before Malcovery announced it had seen a new variant that commanded its botnet network using a new domain name algorithm (DGA) method rather than a peer-to-peer approach.

In its blog this week, Seculert said that, having sinkholed Gameover, it could compare activity before the takedown and around the new variant. Raff said: “In the last few days we have seen a surge in the number of bots communicating with our sinkhole, reaching as high as almost 10,000 infected devices.”

He added: “We anticipate the communications traffic to level out over time to reflect pre-takedown amounts.”

Raff commended Operation Tovar and similar action against the Shylock banking Trojan, in which the UK's NCA was a key player, saying: “We at Seculert do not discount the tremendous efforts behind these takedowns.”

But he said: “We are curious as to the success criteria of these multinational operations. Is the goal of a takedown to cripple the malware or to kill it?

“There is also the possibility that we could just be testing the limits of cybercriminals — challenging them to immediately innovate which could lead to continued escalations.

“It is worth considering whether takedowns are a win for the team of cyber good guys or just a timeout allowing the criminals to regroup and come back stronger.”

Seculert has also seen high levels of activity around Shylock, post-takedown.

Raff said: “In regards to Shylock, we were able to sinkhole it three days after the takedown operation. Since then, we have seen approximately 10,000 bots per day attempting to communicate with our sinkhole server. We can't compare this to the volume prior to the takedown, but it does raise the question, what makes a takedown successful?”

UK-based security consultant and former Scotland Yard cyber crime detective, Adrian Culley, defended the success of global takedown operations, though he acknowledged the hurdles they face.

He told via email: “Partnership operations against botnets led by law enforcement in tandem with corporate bodies have had considerable success internationally, and will continue.

“But it's a cyber arms race, and the job is not likely to get any easier. Botnets can be much like a cyber Hydra - for each head you cut off, two will grow back. They can only be defeated if you really know what you are doing, and are able to take action against all elements of the botnet and its variants.”

Webroot threat researcher Roy Tobin also supported takedowns despite their partial success.

He told via email: “Webroot has seen a definitive drop in the amount of Zeus infections that our customers are seeing. However, just like with any big infection, if you stop one variant of malware from infecting a network, its authors will try to find another way in and change the code to keep up.

“Cryptolocker has changed so dramatically since it first emerged that the latest versions are vastly more sophisticated than the earlier ones, going way beyond just dropping an executable and hoping that people will run them.”

Tobin said takedowns are “an important part of cyber threat mitigation, if only because it slows down the pace of infections and makes it more difficult for hackers to push out new variants of code.

“Hackers generally go after maximum returns for the least amount of work and if they notice that a particular infection is being dealt with effectively by AV vendors and so does every new infection, it may persuade them to give up.

“Takedowns also show hackers that global organisations such as the FBI and Europol do take such threats seriously and are co-ordinating to stop them – sending a clear signal that cybercrime will not go unpunished.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews