14 DAY TRIAL // After the takedown of the Gameover Zeus (GOZ) botnet back in early June, security researchers warned that the cybercriminals would attempt to rebuild the network of infected machines.
The alert was based on the fact that the malware’s peer-to-peer (P2P) communication architecture would allow its operators to reclaim control at a later time.
As such, Operation Tovar, the action bringing together the efforts of multiple law enforcement agencies and private security firms to disrupt the GOZ botnet, was seen by many as a temporary solution for the problem straight from the beginning.
Researchers from F-Secure and Trend Micro expressed this fear almost immediately after Operation Tovar concluded.
Indeed, signs of GOZ resurrection attempts came, although not as soon as the experts predicted, as in July Malcovery security company reported that a new variant of the banking Trojan had been discovered.
They noted that the new strain integrated a domain-generation algorithm (DGA) very much resembling the one used in the original threat and that it no longer used the P2P architecture.
Towards the end of July, Israel-based security company Seculert confirmed the existence of the new GOZ variant without a P2P mechanism for update and control, informing that it managed to infect almost 10,000 devices.
Their observations also included the fact that the DGA used was capable of generating 1,000 domain names on a daily basis, making sinkholing a more difficult process.
Signs of activity were timid at the beginning of the month, but the number of infections got closer to the end. Sinkholes from Arbor Networks recorded almost 8,500 victims across the US, with a drop in numbers four days later, possibly because users took actions to eliminate the malware from their computers.
Damaballa, a computer security company focusing on advanced threats that participated in the GOZ takedown, agrees with the uptick in infections, saying that “the number of victims is climbing but nowhere near previous levels.”
However, the actors behind the recent wave of GOZ infections may not be the same as the initial ones. “There is much speculation about the operator(s) but as yet, no one in the security community has definitive data,” Damballa said last week via email.
Some indications to support this theory have been found by security researchers at PhishLabs, who analyzed a recent phishing campaign delivering the Dyre Trojan, conducted against customers of JP Morgan Chase.
Based on their findings, “cybercriminal actors currently or previously involved in GameOver Zeus operations” have been tied to this campaign; the attacks are believed to have started since at least mid-June; this is two weeks after Operation Tovar.
According to the researchers, the compromised computer is initially infected with the Upatre Trojan, generally used for funneling in other malware pieces. In this case, the cybercriminals use it for delivering the Dyre banking Trojan, also known under the name of Dyreza.
Dyre offers remote access capabilities to its operators and it is a relatively new piece of malware, first reported by PhishMe in the middle of June.
The use of Upatre dropper is what led PhishLabs researchers into suspecting the connection with the GOZ handlers, because they relied on the downloader to deliver the improved Zeus variant.
Dyre Trojan has been spotted to target other online banking services than the one provided by JP Morgan Chase. CSIS reported in June that it also aimed at customers of Bank of America, Natwest, Citibank, RBS and Ulsterbank, through phishing emails.
A takedown operation, even a major one involving efforts from law enforcement agencies in multiple countries and concerted actions from private security firms, is not something to scare cybercriminals into putting an end to their business.
Oftentimes they try to regroup either by using the same malware family or by deploying attacks using a different one, which is the case of Dyre.
Even if arrests are made, the malware generally continues to be used by crooks as the source code it leaked or sold on underground sites, offering other actors the possibility of improving it and conducting attacks.
Whether under the control of the same operators or not, the days of GOZ botnet are still far from ending; as long as there is someone to improve the code and to sell it to cybercriminals, law enforcement and security firms will still have battles to fight.