The new GameOver Zeus (GoZ) variant that has been spotted building up a bot footprint over the last couple of months has left researchers on the fence as to whether it’s actually making any serious headway in the effort.
Overall, there has so far been a small set of victims for the new GoZ, which has been rebuilding after an international takedown earlier this year. But the growth rates are high. In July, one week-long time period showed a 1,879% increase—but to reach only 8,494 victims.
“The million dollar question seems to be, is GameOver Zeus (GoZ) making a comeback?” said Brian Foster, CTO at Damballa, in a blog. “The prolific botnet responsible for a cyber-pandemic was disrupted in June. Since the international take-down effort was announced in June, the security community has held its breath.”
He added, “It’s common practice for cyber-criminals to regain control of infected devices after a take-down. The main obstacle in their way is the device owner.”
Accordingly, law enforcement agencies involved in the GoZ operation urged the public to take action, estimating that victims had a two-week window to clean their infected devices before the botnet tried to resurrect itself. Public warnings were issued by the US Justice Department, FBI and the British National Crime Agency.
This version of GoZ is known to have swapped the previous GoZ peer-to-peer (P2P) structure for the use of Domain Generation Algorithms (DGA). Damballa has found that while the DGA mechanism makes it difficult to stop, it also makes it possible to spot. So when bot masters create their infrastructure, the reputation of the domain names they use can tip GoZ-hunters off.
The use of DGA for instance has enabled Damballa’s threat team and other researchers to build models of known legitimate domains and malicious domains, assigning a reputation score.
It also uses another system to detect changes across the DNS infrastructure of a service provider or enterprise network that indicates malicious behavior, Foster noted.
“Now here we are two months later and we are searching for signs of life,” Foster said. “Our current modeling of the GoZ variants indicates bot masters are regrouping. The good news is the security community is responding, which is helping to stunt a rapid resurgence.”
The proverbial jury is still out on the actual scope of the threat though—for now there are more security sinkholes than anything related to GoZ out there.
“With the infection numbers at a fraction of what they were in the P2P version of Zeus GameOver, how long will the threat actor focus on rebuilding their botnet before they return to focusing on stealing money?” mused Arbor Network researchers Dennis Schwarz and Dave Loftus, in a recent blog.