The Zeus GameOver Trojan variant known as newGOZ has managed to propagate itself in fairly quick time since popping onto the scene in July, leaving some to mull whether it will grow to equal the heft of the previous worldwide GameOver bot that was taken down recently.
Arbor Networks has been tracking the spread of the fresh bug and has seen an exponential infection trajectory. Four days after the discovery of newGOZ in July, its first sinkhole saw 127 victims. Just a few days later, on July 18, it saw an 89% increase to 241 victims. As of July 21, there had been a 78% further increase to 429 victims, mostly in the eastern half of the United States.
As reported by Malcovery Security on July 22, a large spam campaign began to distribute newGOZ via the Cutwail botnet. And by July 25, Arbor saw an 1,879% increase to 8494 victims—with the rest of the United States covered.
Over that weekend and 19 days after its discovery, Arbor’s fifth and final sinkhole for the research saw a 27% decrease to 6,173 victims, most likely due to victims cleaning themselves up from the spam campaign. But, Latin America, South Africa, South East Asia and New Zealand victims began to fill in.
In aggregate and over three weeks, the five sinkholes saw 12,353 unique source IPs from all corners of the globe. The most infected country was the United States followed by India.
“The major change in this version is the removal of the P2P command and control (C2) component in favor of a new domain generation algorithm (DGA),” Arbor researchers Dennis Schwarz and Dave Loftus said, in a blog. “The DGA uses the current date and a randomly selected starting seed to create a domain name. If the domain doesn’t pan out, the seed is incremented and the process is repeated. We’re aware of two configurations of this DGA which differ in two ways: the number of maximum domains to try (1000 and 10,000) and a hardcoded value used.”
While the botnet build has been done with alacrity, the researchers noted that it still pales in comparison with the size of the dismantled GameOver apparatus: “With the infection numbers at a fraction of what they were in the P2P version of Zeus GameOver, how long will the threat actor focus on rebuilding their botnet before they return to focusing on stealing money?”
The GameOver botnet is estimated to have been responsible for at least $100 million in losses worldwide.
Also, other questions remain as the campaign gets going. “Will the threat actor continue to use the same DGA configuration that they’ve been using so far?” the researchers considered. “Empirically, there seems to be more security research sinkholes populating the DGA namespace than actual C2 servers. There is also the second DGA configuration that hasn’t received much use yet. Additionally, as we’ve seen, the actor is willing to completely replace the C2 mechanism altogether.”