GameOver ZeuS Is Making a Comeback

Status
Not open for further replies.

Littlebits

Retired Staff
Thread author
May 3, 2011
3,893
- whois details for the active domain used for sending out the instruction set
Despite the efforts in early June of different law enforcement agencies and several private security companies to disrupt a massive GameOver ZeuS botnet created, a new variant of the malware has been uncovered.

Security researchers from Malcovery say that the mutation they found is fresh, as they found that one of the domains used for command and control activity had been registered on Thursday, July 10, in China, and it was active.

The operators of the new GameOver ZeuS strain deliver the malware through spam purporting to be notifications from financial institutions, fake messages from banks such as M&T and NatWest being among the samples caught by the security researchers.

The emails come with an attachment, which, once opened, executes the malware payload and communication with command and control servers (C2) is initiated in order to receive instructions.

Malcovery security engineers noticed that the fresh variant relies on a domain-generation algorithm (DGA) that “bears a striking resemblance” to the original GameOver ZeuS.

DGA is used to generate a large number of random domain names, and only a small amount of them is contacted by the malware in search of one that responds to the requests and provides the instruction set.

After contacting the FBI and Dell Secure Works, two of the parties involved in the takedown of the botnet, dubbed Operation Tovar, in early June, Malcovery experts could confirm that the C2 servers used for that botnet were still under their control.

In an official statement, the Department of Justice “reported that all or nearly all of the active computers infected with GameOver Zeus have been liberated from the criminals’ control and are now communicating exclusively with the substitute server established pursuant to court order.”

A difference compared to the original malware is that the newly discovered variant no longer uses the peer-to-peer architecture.

Furthermore, “in addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy,” say the security experts in a blog post.

The FBI estimated that the GameOver ZeuS botnet led to losses of more than $100 / €73.5 million. Since the source code for GameOver ZeuS was still in the hands of cybercriminals, this comeback should not come as a surprise.

Towards the end of June, security researchers from Arbor Networks announced that they found evidence of an active malicious campaign that was based on the GameOver Trojan and which evaded the takedown.

Source
 

marg

Level 13
Verified
May 26, 2014
600
The Top Elite virus writers are hired by the U.S. Government to work in Black Ops. The rest should be given 20 years of hard labor IMO.:D
 
  • Like
Reactions: Littlebits

Littlebits

Retired Staff
Thread author
May 3, 2011
3,893
The good thing is ZeuS does not target home users, only governments and large companies.

Enjoy!! :D
 
  • Like
Reactions: marg

avast! Protection

Level 2
Verified
Jun 27, 2014
51
I'm not sure about the other vendors, but avast! has an official statement that their antivirus can prevent GameOver Zeus and Cryptolocker infections:

AVAST detects and protects its users from CryptoLocker and GOZeus. We also encourage users without any antivirus protection, or expired antivirus protection to download AVAST to scan their PC for GameOver Zeus.

Source: http://blog.avast.com/2014/06/03/gameover-zeus-may-not-be-as-over-as-you-think/

Still, if you aren't an avast! user, you may follow those tips to prevent any Ransomware infection:

  • Keep your antivirus program and definitions updated.
  • Keep your other software and OS updated as well (avast! has a software updater feature which can help you track for outdated ones and update them responsively. Only the Premier version of avast! can update your software automatically. All MT users have the chance to win the avast! Premier version by participating in the Summer Giveaway - http://malwaretips.com/threads/MalwareTips-com-avast-premier-2014-giveaway.29605/ )
  • Make sure you back up important files on a regular basis to avoid losing them to ransomware.
  • Change your passwords regularly
  • And finally, the best protection against such threats is the user's awareness itself. Please check @n.nvt's guide on the topic - "Your Mouseclick Matters"
avast! also has a free Ransomware removal tool for Android mobile devices - http://blog.avast.com/2014/06/19/how-to-use-avast-ransomware-removal/

Hope this information helps! :)
 

Malware1

Level 76
Sep 28, 2011
6,545
Avast usually doesn't detect Zeus samples (including Upatre downloading them), at least at on-demand scan. Not sure what happens after running :)
 

avast! Protection

Level 2
Verified
Jun 27, 2014
51
This is probably true but I'm just passing vendor's words. That's why I've included the last point (which keeps my PC uncompromised by those threats) :p

Just out of curiosity, could someone send me a link of such test? And is the test done with the Hardened mode turned on? :)
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top