Two new variants of Gameover Zeus banking Trojan identified

Two new Gameover Zeus variants targeting Europe and the US identified by Bitdefender

Gameover Zeus, the banking Trojan whose communications network was taken down by international coordination at the beginning of June, has been resurrected, with two new variants identified in the wild by security software company Bitdefender.

"One of them generates 1,000 domains per day and the other generates 10,000 per day. Bitdefender warns that the UK is currently the sixth most infected country with 42 unique IPs to date and that there is growth potential with new control domains continuing to be registered.

GOZeus - short for Gameover Zeus - is a peer-to-peer variant of the Zeus family of malware, first identified in September 2011. It is designed to steal bank log-in credentials by searching a compromised PC for files containing financial information. If it fails to find anything of value, it may then install Cryptolocker - "ransomware" that encrypts the PC's hard-disk drive, only providing the decryption key after a fee is paid.

GOZeus uses a decentralised infrastructure, which makes it more difficult to take down than a typical botnet, according to an advisory from the US Computer Emergency Readiness Team (US-CERT).

Since the take-down, the hackers behind Gameover Zeus started to use Domain Generation Algorithms (DGAs). Bitdefender claims that the generated domains were only active for one day each. By "sinkholing" a particular domain, the antivirus company has been able to observe the botnet's structure and activity for the corresponding day.

Sinkholing is a technique whereby the security specialist takes over a server used by hackers as part of their command-and-control infrastructure.

"It seems that the recent Gameover Zeus takeover attempt has yielded less-than-perfect results," said Catalin Cosoi, chief security strategist at Bitdefender. "Further research and international co-operation are now needed to stamp out this menace once and for all."

After sinkholing five domains on five different days for each of the two botnets, Bitdefender has drawn a number of conclusions.

First, the botnets corresponding to the two DGAs on the Gameover Zeus variants are very different when it comes to countries of interest.

The first version has a bigger infection density in the US, which is to be expected as most of the malware families extort money from there, according to Bitdefender. Some 83.7 per cent of the 5,907 unique IP addresses that contacted Bitdefender's sinkhole were received from the US.

However, the second version is, without question, targeting Ukraine and Belarus, with 70.7 per cent of 4,316 unique IP addresses emerging from these countries.

Although there have been multiple domains registered for the botnet targeting the US, Bitdefender has found none for the botnet targeting Ukraine and Belarus, meaning that no one is using the bots at this moment. However, the botnet could find itself with a new master at any point in the future, warns Bitdefender.