Latest Gameover botnet lays low, looking to resist takedown
In early July, a group of cyber criminals released a modified version of the Gameover ZeuS banking trojan, using a technique known as a domain generation algorithm (DGA) to make disrupting the botnet more difficult.
But the same technique has made it easier for researchers to track the botnet’s activity, and they watched as it quickly grew from infecting hundreds of initial systems to 10,000 systems in two weeks. Then a funny thing happened: Gameover ZeuS stopped growing. Now, almost six weeks after researchers first detected signs of the program, the group behind the botnet keeps the infections between 3,000 and 5,000 systems, according to security services firm Seculert.
The group undoubtedly wants to grow the botnet again because cyber crime is typically a game of large numbers. When a coalition of law enforcement officials and industry players took down the botnet in late May, it comprised some 500,000 to 1 million machines. Now they’re laying low, Seculert CTO Aviv Raff told Ars.
“Either they are waiting for the right time to do that or are actually now in talks of launching campaigns that will allow this botnet to grow,” Raff said. “In the end, they are making money out of it, and they want to make the same amount they did in the past, and that requires a similar size.”
The group behind the original Gameover ZeuS used the program to infiltrate victims’ computers and transfer money from the owners’ bank accounts to the criminals’ accounts in other countries. While the profit from the botnet is not known, the US government estimated that the group was responsible for $100 million in losses across the country.
With such potential profits at stake, researchers were unsurprised when a new version of Gameover ZeuS appeared. The most significant change to the program was the use of a domain generation algorithm, or DGA, to pseudo-randomly generate domain names based on the current date. Different versions of the malware would generate 1,000 or 10,000 domains every day and then check for the existence of each. The criminals behind the botnet only have to create a command-and-control (C2) server at one of the domains to issue new orders to the botnet.
While the adoption of the domain-generation algorithm may make takedowns more difficult, the technique makes it easier for researchers to track the growth of the botnet, Raff said.
“It is much harder to do takedowns by fighting the DGA,” he said.
In a July analysis of the DGA, Dennis Schwarz, a research analyst at network-security firm Arbor Networks, argued that the domain-generating feature may not last very long, especially because the botnet is getting a lot of attention from security researchers.
“Empirically, there seems to be more security research sinkholes populating the DGA namespace than actual C2 servers,” Schwarz said. “Additionally, as we’ve seen, the actor is willing to completely replace the C2 mechanism altogether.”