After Takedown, Botnet Returns

Wednesday, July 16, 2014 @ 04:07 PM gHale

Gameover ZeuS malware is back just six weeks after a takedown operation injured the botnet, researchers said.

International law enforcement took on the botnet developers in early June. For the past month, the botnet formed by this malware was largely inactive, according to net security firm Sophos.

RELATED STORIES
Global Malware Infrastructure Seized
Takedown Bonus: APT Attackers Hurt
Malware Down, but Infrastructure Remains
Microsoft Seizes Domain Names

GameOver ZeuS, estimated to have infected more than 500,000 machines worldwide, steals financial and personal information from compromised PCs. Gameover ZeuS was a common distribution mechanism for CryptoLocker prior to June’s takedown op. Cybercrooks behind the latest variant appear to use old tricks involving infected email attachments and spam.

Now a new variant of Gameover ZeuS is attempting to establish a zombie network. Sophos researchers said the new variant distributes through widespread spam campaigns, meaning the number of infections may already be large. Messages pose as online bank account statements, it said. The attachments of these messages have a boatload of malware.

The latest variant of the malware tries phoning to 1,000 domain names per day in order to receive command-and-control instructions. The crooks seem to be leaving it until the last minute to register domains they intend to use, said James Wyke, a senior threat researcher at Sophos, in a blog post.
http://nakedsecurity.sophos.com/2014/07/13/gameover-malware-returns-from-the-dead/

The Gameover ZeuS takeover operation in June resulted in criminal charges against 30-year-old Russian national Evgeniy Mikhailovich Bogachev, who police feel is running the botnet.

“We can’t yet say whether this new variant is the old guys back… or someone completely new who acquired the source code,” according to Sophos, which has added detection for the variant to its enterprise-focused security software packages.



Leave a Reply

You must be logged in to post a comment.