Game on for Gameover?
Game on for Gameover?

Ongoing research into the latest incarnation of Zeus - newGOZ (new Zeus Gameover) - suggests that the cyber-criminals behind the malware may have made extra work for themselves by replacing the P2P command-and-control system with a domain generation algorithm.

According to research analysts Dennis Schwartz and Dave Loftus of Arbor Networks, the use of a domain generation algorithm means the developers behind the threat actor have effectively to start over from scratch.

The DGA approach, they say, uses the date and a random set of seed data to generate a `randomised' domain name, but if the resultant domain doesn't work out, the seed is incremented and the process is repeated.

The use of a data-based algorithm, however, the analysts say, makes for excellent sinkholing targets due to their predictability, as well as providing researchers with the ability to estimate the size of botnets that use them.

After analysing three weeks' worth of newGOZ sinkhole data, Schwartz and Loftus say that they saw more than 12,300 unique source IPs from all corners of the world.

They key takeout from the Arbor analysis is that the infection numbers of newGOZ are a fraction of what they were in the P2P version of Zeus Gameover, suggesting that it could be some time for the new version of Zeus to reach the same success levels seen with the `old' P2P versions.

Commenting on the analysis, Dr Guy Bunker, senior vice president of Clearswift, said that, as with any malware, the challenge for the cyber-attackers is to have it under-control - and doing something for them - as well as being resilient to take-downs.

"So, in the simplest form, there is a simple command and control server – and the agents that infect the system know exactly where to look for their commands. However, this is a relatively easy `take-down, take away' situation where the agent is communicating to and it has no-one to talk to," he said, adding that, as a result, other methods have evolved.

In this case, he says, the new variant is using fast flux where the malware and the control is hiding behind a group of changing (and compromised) proxies and IP addresses which are constantly changing, through registering / re-registering the address associated with the name.