New Gameover Zeus variant steadily rebuilds downed botnet

It’s already widely known that the Gameover Zeus gang, whose activity has been temporarily foiled by a successful multi-national law enforcement takedown in June, is trying to regain lost ground.

The new malware variant – dubbed newGOZ – does not use P2P to reach its C&C servers for instructions, but has been modified to know when particular C&C domains will be online.

“The domain generation algorithm (DGA) uses the current date and a randomly selected starting seed to create a domain name. If the domain doesn’t pan out, the seed is incremented and the process is repeated,” Arbor Network’s researchers explained.

This change made it possible for them to sinkhole some of these domains, which allowed them to estimate the size of the botnets.

Based of sinkhole data collected on Mondays and Fridays between July 14 and 29, the number of infections has been increasing at a considerable and steady pace, until July 25, when there was an 1879% increase.

This spike, the researchers believe, is due to a large spam campaign detected distributing newGOZ via the Cutwail botnet.

“In aggregate and over three weeks, our five sinkholes saw 12,353 unique source IPs from all corners of the globe,” they shared.

The most infected country was the United States (44%), followed by India (22%) and Great Britain (10%).




Share this