New Zeus Gameover employs novel approach to malware

News by Steve Gold

NewGOZ could be upgraded with Cryptolocker-like software in the future, says Lancope's Tom Cross.

Ongoing research into the latest incarnation of Zeus - newGOZ (new Zeus Gameover) - suggests that the cyber-criminals behind the malware may have made extra work for themselves by replacing the P2P command-and-control system with a domain generation algorithm.

According to research analysts Dennis Schwartz and Dave Loftus of Arbor Networks, the use of a domain generation algorithm means the developers behind the threat actor have effectively to start over from scratch.

The DGA approach, they say, uses the date and a random set of seed data to generate a `randomised' domain name, but if the resultant domain doesn't work out, the seed is incremented and the process is repeated.

The use of a data-based algorithm, however, the analysts say, makes for excellent sinkholing targets due to their predictability, as well as providing researchers with the ability to estimate the size of botnets that use them.

After analysing three weeks' worth of newGOZ sinkhole data, Schwartz and Loftus say that they saw more than 12,300 unique source IPs from all corners of the world.

They key takeout from the Arbor analysis is that the infection numbers of newGOZ are a fraction of what they were in the P2P version of Zeus Gameover, suggesting that it could be some time for the new version of Zeus to reach the same success levels seen with the `old' P2P versions.

Commenting on the analysis, Dr Guy Bunker, senior vice president of Clearswift, said that, as with any malware, the challenge for the cyber-attackers is to have it under-control - and doing something for them - as well as being resilient to take-downs.

"So, in the simplest form, there is a simple command and control server – and the agents that infect the system know exactly where to look for their commands. However, this is a relatively easy `take-down, take away' situation where the agent is communicating to and it has no-one to talk to," he said, adding that, as a result, other methods have evolved.

In this case, he says, the new variant is using fast flux where the malware and the control is hiding behind a group of changing (and compromised) proxies and IP addresses which are constantly changing, through registering / re-registering the address associated with the name.

"By the time the control server has been located, it has moved on. There are then a list of associated names as well... the result is that the control server can be readily hidden and moved faster than the authorities can respond," he explained.

Bunker went on to say that organisations which block access to sites with malware through the IP addresses will find it extremely difficult as the IP addresses are constantly changing.

"As with most botnets, there are various reasons behind their employment, with spam and DDoS being the most common. However, for those which are after information - such as credit card numbers, bank details etc - it shows the growing need for the information to be protected. This can be monitored for on the network, and the data transfer blocked, the blocking will cause an event to be raised, which can then be acted upon. A series of events will indicate a possible infection which then needs to be tracked down and removed," he said.

"There is now a huge amount of malware code available in the underground economy; it is only natural that cyber-criminals are re-visiting old versions to see how they can be brought up to date and re-deployed. Unfortunately, the situation is only going to get worse – so the CIO needs to get smarter and become more agile in the way they deal with the threats," he added.

Michael Sutton, vice president of security research with Zscaler, picked up on Bunker's comments, noting that, whilst the new variants of newGOZ are currently a fraction of the size of their predecessor, the resurgence of the popular malware illustrates the temporary nature of botnet takedown efforts.

"While the June takedown effort known as Operation Tovar was successful in disrupting GameOver Zeus, such efforts remain a game of whack-a-mole between law enforcement and cyber criminals. With one botnet down, others have emerged to take its place," he said.

And whilst newGOZ is not a major threat today, the volumes of the malware continue to grow.

"One encouraging piece of news is the lack of a P2P command and control infrastructure this time around in favour of domain generation algorithms which can be easier to combat due to their predictability. NewGOZ is still being assembled and it remains to be seen what it will ultimately be used for," he noted.

Multiple device infections

Over at Check Point, Keith Bird, the firm's managing director, said that his firm's researchers have seen the number of devices infected by GOZ increasing steadily over time, because it keeps evolving.

The most effective defence, he explained, involves the use of layers of security, starting with user education about phishing, patching OS and applications.

"This is because newGOZ variants often exploit known vulnerabilities, and apply updates from security gateway vendors to block GOZ addresses and communication patterns," he said.

Tom Cross, director of security research at Lancope, came up with an interesting analysis. He said that, with the original Gameover Zeus command and control infrastructure having been taken down, the criminals are starting to rebuild their botnet from scratch.

This time around, he says, security professionals are watching them closely from the very beginning, and it will take some time before the infection rates equal the hundreds of thousands of victims that the original botnet impacted.

Having said this, he noted that each new infection provides the attackers with the opportunity to steal end user credentials, and all could be upgraded with Cryptolocker-like software in the future.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews