August 14, 2014, 12:21 PM — Cybercriminals are in the process of rebuilding the Gameover Zeus (GOZ) botnet, which law enforcement authorities took over in June, and recent research suggests that they've had some success, especially in the U.S.
The original GOZ botnet was built using a modified version of the infamous Zeus trojan program and was designed to steal online banking and other credentials from infected computers. The GOZ malware authors created a command-and-control infrastructure with a peer-to-peer architecture, making their botnet more resilient to takeover attempts.
Despite the technical challenges, the U.S. Department of Justice, working with foreign law enforcement agencies and private security companies, managed to seize control of the botnet in early June. Its size was estimated to be between 500,000 and 1 million infected computers at that time, with 25 percent of them located in the U.S.
On July 11, researchers from a company called Malcovery Security spotted a new variant of Gameover Zeus that had stopped using a peer-to-peer-based command-and-control infrastructure in favor of domain names.
Most malware programs are designed to connect to a hardcoded list of domain names associated with command-and-control servers. However, the new GOZ version uses a domain generation algorithm (DGA) to create a list of hundreds or thousands of new, random-looking domain names every day and then attempts to contact them.
Knowing how the DGA works, attackers can predict what domain names the malware will attempt to contact on a particular day. They can register one of them in advance, assign it to a server, and wait for the infected computers to connect in order to give them new instructions.
This makes it hard for security researchers to permanently take control of the botnet, because new domains will be generated constantly, but if they figure out the algorithm and register some of the domains, they can temporarily interact with it. This kind of operation, known as sinkholing, can at the very least be used to estimate the number of infected systems that are part of the botnet.