The game isn't over yet for Gameover malware

Researchers have discovered new variants of Gameover malware--a botnet operationshut down by law enforcement just over a month ago.

In early June the U.S. Department of Justice revealed that the Gameover Zeus (GOZ) botnet had been disabled thanks to the success of a joint effort dubbed "Operation Tovar." The celebration appears to have been premature, though, as security researchers have already discovered a resurgence of Gameover malware infections.

While the Gameover botnet has lain dormant since the takedown, a new massive spam campaign has Sophos Labs researcher James Wyke concerned the threat has returned. A blog post reveals details of why it seems to be part of the same malware family.

According to Wyke, the new threat is being spread via spam intended to look like an account statement. The message body claims the recipient's statement for some random account number with Cards Online is now available and indicates that more information is in the attached file.

The new messages are scrambled using the algorithm and string table that has been the same since the original Zeus source code was leaked in 2011. Some of the more sophisticated elements of previous Gameover variants--most notably the Necurs rootkit--have been removed, however. Wyke theorizes that the attackers traded the sophistication of the rootkit in favor of simplifying the attack and making it easier to remove the malware and leave no trace.

Another change is in how the botnet communicates and receives its malicious instructions. GOZ used a peer-to-peer (P2P) communication method with no central command-and-control servers. The new variant foregoes the P2P method and uses a domain generation algorithm (DGA) instead. The DGA can generate up to 1,000 domains per day, and the malware seems to be designed to wait until the last possible minute to register the domains in order to evade detection and thwart efforts to blacklist or shut down the malicious domains.

Wyke is unsure whether this resurgence is the work of members of the original GOZ team--who managed to avoid arrest--or a result of new malware developers acquiring and building on the source code of the original.

It remains to be seen if this new Gameover campaign will be as successful as its predecessor or if it will fizzle out as a result of changing key elements that contributed to the success of the previous version. Sophos products block the new variant explicitly as Troj/HkMain-AQ  and also provide proactive detection against the Gameover family as Mal/Zbot-HX, HPmal/Zbot-C, and HPmal/Zbot-F.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags malwaresophosbotnetU.S. Department of JusticeGameOver ZeusGameover

More about Department of JusticeSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Tony Bradley

Latest Videos

More videos

Blog Posts