The notorious Gameover Zeus malware appears to have come back from beyond the grave just over a month after a high profile takedown operation by law enforcers, according to security researchers.
Sophos senior threat researcher, James Wyke, claimed his team has found a new version of the malware being distributed through “widespread” spam campaigns via infected email attachments which users are encouraged to open.
Wyke pointed to several reasons why the newly discovered variant is likely to be from the Gameover family.
First, it features the same strings – and the same custom algorithm to scramble those strings – as those of earlier versions.
The main difference is that it no longer includes the Necurs rootkit – originally included to make removal more difficult – and the peer-to-peer protocol is no longer used to control the botnet, Wyke said.
“We can still see evidence of the P2P protocol commands in the malware program, but the sample is not seeded with a starting list of peer addresses, and the code that attempts to find and use peers in the botnet is absent,” he wrote in a blog post.
“Again, this is a strange development, because using P2P for command-and-control definitely makes the botnet more robust.”
The previous version of Gameover apparently used a “domain generation algorithm” (DGA) designed to take over as a C&C mechanism if the P2P system failed.
However, the newly discovered variant uses only the DGA, generating a different set of up to 1,000 domains each day, Wyke said.
“We generated the domains that will be used over the next few days and found that only a small number were were alive for the first day. At the time of writing, no domains for subsequent days were resolving,” he added.
“This suggests that the Gameover operators are not showing their hand yet, thus keeping the list of domains that they intend to use each day confidential until close to the time that they are needed.”
Gameover Zeus first shot to fame in early June when the FBI and the UK’s NCA claimed to have disrupted the infamous botnet, which was also linked to CryptoLocker ransomware.
At the time, law enforcers warned that users may only have a couple of weeks grace to clean up infected machines before it returned.