Gameover Zombies on the March Again
Jul 17, 2014 10:28 AM PT
The Gameover botnet is back -- more or less -- only six weeks or so after the United States Department of Justice announced that an FBI-led multinational effort had disrupted it.
Still, the botnet's downtime was longer than expected -- the UK's National Crime Agency had warned that the people running it would regain control within two weeks.
Sophos this week spotted a new version of the malware, which it calls "Troj/HkMain-AQ."
Only a few samples have been identified, but it has been distributed through widespread spam campaigns, so there already may be a large number of victims, the firm said.
"Everyone should expect variants of successful malware to reappear like a phoenix with every successful destruction," Steve Hultquist, chief evangelist for RedSeal Networks, told TechNewsWorld. "Success pays too well to expect death to be permanent.
Prevention Is Best
Users should ensure their applications are patched and their security software is up to date.
"The criminal business empires that have grown up around botnets ... would rapidly fall apart if we kept our computers clean in the first place," Paul Ducklin, senior security adviser at Sophos, told TechNewsWorld. "Kill a zombie today."
What Gameover's Kissin' Cousin Looks Like
Like Gameover, the new variant uses the same custom algorithm to scramble text strings as the Zeus Trojan, Sophos found.
However, this latest malware is less sophisticated than its predecessor.
It lacks the Necurs rootkit, which makes malware removal more difficult, Sophos said. Necurs was present in the earlier version.
Further, the new variant doesn't use peer-to-peer protocol communications, unlike its predecessor, which makes it less robust, Sophos said.
It apparently contains P2P protocol commands but is not seeded with a starting list of peer addresses, and it lacks the commands that try to find and use peers.
Finally, although the earlier version used a domain generation algorithm only as a fallback, the current version uses a DGA that can generate up to 1,000 possible domains a day.
"DGA is an expensive and sensitive operation," Adam Kujawa, head of malware intelligence for Malwarebytes, told TechNewsWorld. "They won't be able to keep it up forever."
Why the New Variant Is Simpler
There could be a variety of reasons for this latest variant of Gameover to be less sophisticated than its predecessor.
The cybercriminals behind it might lack technical ability, Kujawa speculated. On the other hand, "it could be ... a diversion ... while another variant is developed -- something to pay the bills or continue the growth of influence the malware team has."
Rootkits "are much harder to program correctly than bots themselves," Sophos' Ducklin pointed out. "And most good antivirus products look out for rootkits as well as regular malware."
As for not including P2P, "maybe the crooks decided that the extra complexity of P2P wasn't worth it," Ducklin mused. "Perhaps the crooks have used vanilla botnets before and made no less money out of them than when they added in P2P."
Another perspective is that cybercrime is a business and therefore adapts to changing conditions.
"If a simple version works, the bad guys will use it even as they develop additional approaches," Hultquist suggested. "New releases and new products are inevitable."
The Never-Ending Story
The battle between law enforcement and cybercriminals will continue.
"This is what cyber public health looks like: A single remediation effort will not change humanity, persuade others to give up crime, or deter future criminals," David Dagon, cofounder of Damballa and postdoctoral fellow at the Georgia Institute of Technology, told TechNewsWorld.
"Taking down botnets not only disrupts the money and the market, but also lets cybercriminals know that they can be caught, that law enforcement can touch them, and they should always assume that we are right behind them," Malwarebytes' Kujawa said. Creators of smaller botnets "might decide that cybercrime isn't the best approach to making money."