Almost half of the infected machines are located in the United States

Aug 14, 2014 23:55 GMT  ·  By

After law enforcement and private security firms dismantled the botnet created with the help of Gameover Zeus, new variants of the malware emerged and some of them have recorded significant success in building a botnet.

Security researchers from Arbor Networks have tracked the activity of Gameover Zeus variants over the month of July in five sinkhole actions, and noticed a growing number of infections in the United States, with 8,494 IP addresses trying to connect to domains under their control, in an attempt to contact command and control servers for instructions.

Two of the fresh strains discovered in the wild no longer rely on the peer-to-peer (P2P) command and control architecture used by the original threat and adopted the domain generation algorithm (DGA) technique to make contact with the remote server.

“The DGA uses the current date and a randomly selected starting seed to create a domain name. If the domain doesn’t pan out, the seed is incremented and the process is repeated. We’re aware of two configurations of this DGA which differ in two ways: the number of maximum domains to try (1000 and 10,000) and a hardcoded value used (0×35190501 and 0x52e645),” writes Dennis Schwarz in a blog post.

Arbor Networks has sinkholed Gameover Zeus domains from the first configuration, since they were the most prevalent in the wild, and observed on July 21 that 241 IP addresses tried to reach the command and control servers, 89% more than the 127 recorded four days earlier.

These numbers continued to grow, although not by much, reaching 429 victims on July 21, most of them being located in the eastern part of the United States.

However, on July 25, security researchers recorded a spike in infections, registering 8,494 victims, all over the US. The 1,879% increase follows a massive spam campaign that distributed the Gameover Zeus variant by the Cutwail botnet.

Four days later, the fewer infections were registered (6,173 victims), probably due to actions taken by users to remove the malware from their systems.

“In aggregate and over three weeks, our five sinkholes saw 12,353 unique source IPs from all corners of the globe,” says Schwarz, the most affected country being the United States, accounting for 44% of the infections. Next was India, with 22%, followed by UK (10%).

According to the researchers, at this time the cybercriminals are not bent on stealing money rather on building a strong botnet.

Multiple threat actors are currently using variants of Gameover Zeus, some of them being in the game since before the disruption of the Citadel campaign, managing to evade Microsoft’s takedown in June 2013 and moving to Gameover Trojan and escaping even the efforts to disrupt the Gameover Zeus campaign.