Cyber Crooks Revive Deadly Malware known as GameOver Zeus

Ibtimes.co.uk reported on 11th July, 2014 stating that law enforcement agencies have taken down the Gameover Zeus (GOZ) botnet globally but after five weeks of that successful take down, cybercriminals have begun reviving the deadly malware.

Security researchers of security firm Malcovery found a series of new spam campaigns on Thursday, 10th July, 2014 which were spreading a malware which looked like GOZ binary. The campaigns mainly contain fake notifications from financial institutions like NatWest and M&T bank with emails containing a zip file with a .scr attachment.

The malware is executed by using a domain generation algorithm (DGA) to contact its C&C server. The domain names generated are not related to the old Gameover Zeus but experts feel that the DGA is very similar.

Researchers observed another interesting aspect that the new Trojan doesn't use a Peer-to-Peer (P2P) infrastructure like the old one to make takedown efforts more difficult. Instead of that, it depends on Fast Flux technique involving an ever-changing network of compromised hosts which act as proxies to hide phishing websites and malware delivery.

Securityweek.com published news on 11th July, 2014 quoting Brendan Griffin and Gary Warner, Security researchers with Malcovery, as saying "In the original GameOver Zeus, the domain generation algorithm and its related command and control resources serve the botnet as a reserve to the peer-to-peer botnet which serves as primary means of distribution of this malware's instructions to infected machines. The operators of GameOver botnet may distribute commands to infected machines with which the peer-to-peer botnet has lost contact by using the related websites with the domain generation algorithm."

V3.co.uk published news on 11th July, 2014 quoting Tom Cross, Lancope Director of Security Research, as saying 'the botnet is expected to develop in near future and IT managers should be extra vigilant for that."

The new GameOver Zeus campaign is one of the several developed cyber attacks which were discovered in the first two weeks of July, 2014. Researchers of FireEye discovered a new botnet codenamed BrutPOS on Wednesday, 9th July, 2014 attacking point-of-sale (POS) systems to steal banking credentials.

» SPAMfighter News - 7/18/2014