All the latest UK technology news, reviews and analysis


De-evolved Gameover Zeus malware found in spam messages

02 Sep 2014
Basic Gameover Zeus attack tool discovered

The hacker gang behind the notorious Gameover Zeus campaign has returned to action by attempting to spread a weaker, less complex version of the original malware.

Director of security research for Zscaler Deepen Desai revealed the campaign in a blog post, reporting that the firm spotted the attack while examining a wave of spam messages being sent from the Cutwail botnet.

"We started seeing infection reports involving a new Gameover Zeus variant early last month (July 2014). The major infection vector still remains the same where the Cutwail botnet is being leveraged by the cyber criminals to send out spam emails with a malicious attachment," read the post.

"The malicious attachment on most occasions masquerades as a financial PDF document in order to lure an unsuspecting user into opening it. Once the user opens the attachment, it downloads the latest Gameover Zeus variant from a predetermined location."

Desai said the new version has the same information-stealing goal as it predecessor, but uses more basic technologies. "The previous Gameover Zeus variant used a peer-to-peer (P2P) command-and-control protocol in addition to a failover domain generation algorithm (DGA), to establish connection with a C2 server," he said.

"However, this newer variant does not feature a P2P command and control protocol, instead it is falling back to the old DGA with fast flux tactics to hide the C2 servers. This, in our opinion, is a step backward as P2P was a more resilient feature."

Law enforcement agencies across the globe, including the UK National Crime Agency (NCA), temporarily shut down the original Gameover Zeus botnet, which was estimated to have enslaved between 500,000 and a million computers at its peak in June.

Despite not catching the author of the malware and the campaign, it is believed to have caused untold damage to the original Gameover Zeus operation. Desai said the DGA architecture is one of several technical downgrades.

"Another step backward that we observed is the absence of the kernel-mode rootkit that was pushed out as an update early this year by the Gameover Zeus operators in the previous version. The rootkit made removal of the malware extremely difficult and disabled multiple security features on the infected system," he explained.

Zscaler is one of many security firms to report uncovering a new Gameover Zeus version. Malcovery Security reported finding an evolved, more resilient version of the Gameover Zeus botnet sending out malicious spam messages in July.

Combating criminal operations has been an ongoing goal of European law enforcement. Europol's European Cybercrime Centre (EC3) launched a Joint Cybercrime Action Taskforce (J-CAT) pilot programme in a bid to take on cyber crime operations, such as Gameover Zeus, on Monday.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Microsoft Azure outage

Is cloud computing reliable enough for business yet?
9%
8%
19%
64%

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

CRM Project Manager / Business Analyst

CRM Business Analyst / Project Manager with experience...

Web Developer (PHP, MVC)

Mid Level Web Developer (PHP, MVC) £25,000 - £35,000...

PHP Web Developer - £35k

PHP Web Developer - Andover £25k-£35k A small but growing...

Application Support - Basingstoke - £20k -£30k

Application Support - Basingstoke, Hampshire - £20,000...
To send to more than one email address, simply separate each address with a comma.