Almost 10,000 bots attempt to contact security firm sinkhole

Aug 1, 2014 17:47 GMT  ·  By

New findings from security researchers suggest a resurge in the activity of the Gameover ZeuS and Shylock malware, as the latest telemetry information indicates that a large bot crowd has been created.

Israel-based security firm Seculert has found that a new variant of Gameover ZeuS (GOZ) is currently in circulation, and although it is not as prevalent as its predecessor, it still managed to infect almost 10,000 computers.

Aviv Raff, CTO and lead malware researcher at Seculert, writes in a blog post that they found some changes in the latest strain of GOZ.

First of all, the malware authors have dropped the pee-to-peer communication mechanism that allowed the threat actors to control and update the infected computers. This feature is what actually made the botnet difficult to dismantle in the first place.

Another change observed by Raff was a new DGA (domain generation algorithm), which spews a list of 1,000 domains per day in order to hide the command and control server used by the attackers.

The number of generated domains and the frequency are impressive, considering that the previous version would spew a list with the same amount of domains in a week.

Since the company had previously sinkholed GOZ, it was able to compare the new telemetry and determined that during the past days more and more infected systems contacted the sinkhole system, “reaching as high as almost 10,000 infected devices.”

However, according to their information, the peak was recorded on July 25, and the number of communication requests dwindled to 4,000 on July 30.

In the case of Shylock, Raff says that almost 10,000 bots per day tried to communicate with the sinkholed domain. Data from their systems shows that after July 29 more than 8,000 computers contacted the domain, suggesting that the number was on the rise.

Although the efforts of law enforcement agencies and private security companies translate into a significant decrease of cyber-criminal activities, other threat actors with access to the same type of malware can pick up the nefarious activity and create new botnets.

After the resonant action to disrupt the GameOver ZeuZ botnet, some security companies warned that the fight might not be over because of the complexity of the communication network.

On July 10, Malcovery informed of a new strain that gave up the peer-to-peer mechanism and that a new DGA had been integrated.

In the case of Shylock, the actors behind it are believed to be highly organized, and they are not likely to give up the malicious activity once their botnet is disrupted.

Shylock and Gameover ZeuS attempting a comeback (3 Images)

Gameover ZeuS activity before takedown
Gameover ZeuS activity after takedownShylock activity after takedown
Open gallery