Published on July 13th, 2014 📆 | 5258 Views ⚑


GameOver Zeus Banking Trojan Returns Again

Free Text to Speech

On Thursday, security researchers at the security firm Malcovery came across a series of new spam campaigns that were distributing a piece of malware based on the Gameover Zeus code which is being distributed as an attachment to spam emails, masquerading as legitimate emails from financial institutions, including M&T Bank and NatWest.
"Today Malcovery's analysts identified a new trojan based heavily on the Gameover Zeus binary, the firm's blog post read. "It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed."
Malcovery has published a full disclosure and complete rundown of the botnet, which shows that all the malicious emails it sends to lure users contain a zip file with a .scr attachment inside. Once opened, the file uses to hack into zombie computers, and the threat is danger as many anti-virus solutions were not able to detect the malicious software.

Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a Domain Generation Algorithm (DGA). The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing,” the analysis of the malware by Brendan Griffin and Gary Warner of Malcovery says.
Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information ‘webinject’ files from the server.

[adsense size='1']

This new Gameover Zeus botnet has a more robust implementation that makes it even more difficult to combat than the previous one.
As Malcovery writes, “this discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.
On Friday, the Department of Justice released a statement saying that this new Gameover Zeus botnet was not linked with the botnet that it previously targeted.

The Justice Department reported that all or nearly all of the active computers infected with Gameover Zeus have been liberated from the criminals’ control and are now communicating exclusively with the substitute server established pursuant to court order,” the agency said.

The Justice Department also reported that traffic data from the substitute server shows that remediation efforts by Internet service providers and victims have reduced the number of computers infected with Gameover Zeus by 31 percent since the disruption commenced.

Tagged with:

Comments are closed.