Big GameOver Zeus Hunting: Variants in the Wild or a Botnet Resurgence?

By   ISBuzz Team
Writer , Information Security Buzz | Sep 14, 2014 05:02 pm PST

The million dollar question seems to be, “Is GameOver Zeus (GoZ) making a comeback?” The prolific botnet responsible for a cyber-pandemic was disrupted in June. Since then, the security community has held its breath.

FREE Download: CISO Data Breach Guide

It’s common practice for cyber criminals to regain control of infected devices after a take-down. The main obstacle in their way is the device owner. That’s why law enforcement agencies involved in the GoZ operation urged the public to take action. They estimated victims had a two-week window to clean their infected devices before the botnet tried to resurrect itself.[1] Public warnings were issued by the U.S. Justice Department, FBI and the British National Crime Agency.

Now here we are two months later, and we are searching for signs of life.

Security researchers recently reported two new variants of GoZ ‘, in-the-wild’ using Domain Generation Algorithms (DGA).[2] So are they back in business or just dipping their toes in the water?

Over the last couple of months, Damballa has observed new GoZ variants testing the waters. Initially, there was a small set of victims, but that has changed in recent weeks.  Although nowhere near previous levels observed with GoZ, the number of victims is climbing. Efforts are underway by the security industry to track activity associated with the new variants.

While the DGA mechanism used by GoZ makes it difficult to stop, it also makes it possible to spot. That is because when bot masters create their infrastructures, the reputations of the domain names they use can tip us off.

Damballa’s threat team builds models of known legitimate domains and malicious domains and assigns a reputation score. We use another system to detect changes across the DNS infrastructure of a service provider or enterprise network that indicates malicious behavior. These techniques enable us to detect botnets before they start sending out malware.
Our current modeling of the GoZ variants indicates bot masters are regrouping.  The good news is the security community is responding, which is helping to stunt a rapid resurgence.

By Brian Foster, CTO, Damballa

About Damballa

damballa_logoDamballa helps enterprises prevent loss of their data, intellectual property, finances and reputation due to a cyber-security breach. We are innovators in advanced threat protection and containment. That means our systems help stop malicious behavior from damaging your business.