Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gameover ZeuS Re-Emerges As Fast-Fluxing Botnet

Posted by Soulskill on from the game-not-quite-over-after-all dept.

New submitter tylke (621801) writes: "Brian Krebs is reporting that the Gameover ZeuS botnet recently taken down by the U.S. Justice Department in June has re-emerged. The new variant of the Trojan is "stripped of the P2P code, and relies instead on an approach known as fast-flux hosting," a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind a network of compromised systems. Krebs says, "[T]his variant also includes a 'domain name generation algorithm' or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters). In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there." (Disclosure: I work for Malcovery Security, the company credited with identifying the new variant.)

30 of 62 comments (clear)

  1. Just to be clear... by djupedal · · Score: 1

    'fast fluxing' is the result of zombiefied router storms gone rouge.

    1. Re:Just to be clear... by Deadstick · · Score: 4, Funny

      Well, as long as they don't go eyeliner...

    2. Re:Just to be clear... by gstoddart · · Score: 2

      Or, worse, guyliner.

      --
      Lost at C:>. Found at C.
  2. Can they use this to reclaim the zombies? by timrod · · Score: 1

    The article from Brian Krebs seems to indicate that this new variant of Gameover can interface with the old one somehow, and be used to recover all of the infected computers that were part of the original Gameover botnet. Is this true, or is this an attempt to re-build the Gameover Zeus botnet from scratch?

    1. Re:Can they use this to reclaim the zombies? by GarWarner · · Score: 2

      When a botnet uses a DGA (Domain Generation Algorithm) it is usually for the purpose of reconnecting "lost bots" or to avoid the need to have a hard-coded Command & Control server address. But in this case, the original GameOver Zeus can't be recaptured because all of the domains that can be generated by the GOZ DGA have been "locked up" by the FBI's case. The Temporary Restraining Orders (TRO) that were issued prevented any ICANN Registrar from registering any domain that would be used in the "near future" by the DGA. (By understanding the DGA you can feed it future dates so it can spit out the domains it will use later - at least many weeks worth of domains were included in the court order.) The problem was that some of the original GOZ DGA domains were ".ru" and you can imagine that the Department of Justice really can't give orders about what happens with ".ru" domains. The TRO handled that aspect by ordering the largest ISPs in the US to forbid any of their customer computers from being able to talk to those domains. Some of this was handled by routing DNS requests for these domains to .gov controlled computers while others were handled by ISPs and security companies monitoring for traffic trying to reach those domains and issuing information back to the customers to help them get their machines cleaned up. (If you really want the geeky legal stuff, I wrote much more about that here: http://garwarner.blogspot.com/... ) Anyway, all of that to say, the *NEW* GOZ has a DIFFERENT DGA, but the *ORIGINAL* GOZ bots don't use that DGA, so there is very little chance of a reconnection. While Malcovery did prove that at least 5 of the 1,000 domains generated by the NEW DGA were ALSO on the old DGA, those domains are "locked up" as above and can't be used. We've already had good response from the security community with people beginning to "sink hole" some of the newGOZ DGA domains to identify what level of infection there may be already and to work hard on terminating the handful of domains the criminals have registered from that list so far. I hope that answered your question ... I suppose the better answer might have been "No." Gary Warner (full-disclosure - a Malcovery employee)

  3. Re:And how does it get these domains? by chfriley · · Score: 1

    They just need to register ONE of them to reestablish contact. They might even be able to use "domain tasting" to register a bunch and then cancel within 5 days.

  4. Fast Flux by Himmy32 · · Score: 3, Informative

    The article linked to Wikipedia on what Fast Flux was:

    The basic idea behind Fast flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS records.

    In case anyone else didn't know that was Fast flux was.

    1. Re:Fast Flux by dunkindave · · Score: 1

      The idea behind fast-flux is to make blocking or recognizing an activity based on IP addresses essentially impossible, since by the time the bad IP address is known, communicated, and entered into whatever system is doing the blocking or detection, the addresses have changed to a new set and the race starts over. 5 to 15 minutes is a common rolling period for these people.

    2. Re:Fast Flux by GarWarner · · Score: 2

      Actually I tried to give an example of how the Fast Flux works, both generally and in this specific case, on this blog post this morning: http://garwarner.blogspot.com/... Let me know if you still have any questions about it . . .

  5. Re:And how does it get these domains? by dunkindave · · Score: 2

    You can't, but in order to regain control, all they need to do is successfully register ONE of them so when the botnet swarm tries to phone home it finds that one and they are back in business. Based on the summary, each week it tries a different list of random domain names so they can keep trying, week after week, until they succeed. I am also presuming these domains are spread across multiple TLD so it isn't just a matter of having the registrar for .com or .org block them. They would also need to get all the country TLD registrars to block the list as well.

  6. Windows or everyone? by CauseBy · · Score: 1

    I stopped paying attention to botnet stories a few years ago. Are botnets still always on Windows or do Unix users (Mac, Linux) have to worry too? If it's still all Windows then I'm going to stop paying attention again.

    1. Re:Windows or everyone? by Albanach · · Score: 2

      Of course linux is targeted. There are large numbers of linux servers, with fast processors and very fast high capacity network connections. Making matters worse, because they often to run important services, people may be slower to upgrade packages/kernels.

      I don't know about this particular botnet, but it's been a long time since saying "I don't run windows" counted as a security strategy.

    2. Re:Windows or everyone? by NotInHere · · Score: 1

      There was even an almost pure UNIX botnet, that has pinged every ipv4 address in the world.

    3. Re:Windows or everyone? by lister+king+of+smeg · · Score: 1

      Assuming we are talking about the same botnet, if i remember reading about it correctly it used a list of defualt passwords. If you are using a defualt password on any system you are going to get pwned hard.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    4. Re:Windows or everyone? by NotInHere · · Score: 1

      Yes it used a default password list.

    5. Re:Windows or everyone? by Dishevel · · Score: 1
      People who say that shit are not using Linux. They are using Windows and trying to sound like they know something about tech.

      Linux users are fairly smart, and value security.

      I do not have to worry too much about viruses and bot nets but that is because I harden my systems so that people looking to get in can not. We all do it. Install only the components we need. Whitelist where possible. External firewalls and compartmentalizing.

      Any decent Linux guy has a system that is fairly secure.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    6. Re:Windows or everyone? by Dishevel · · Score: 1
      To be fair though. A huge part of Linuxes good security is the ability to remove or never put in things you have no use for,

      Not always so easy with windows.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
  7. You have to destroy by Anonymous Coward · · Score: 1

    all 42 horcruxes

  8. botnets are still Windows. Set a router password by raymorris · · Score: 1

    This botnet, like the one the malware based on, is Windows only. The botnet that was used to seed this one is also Windows only.

    There have been two botnets that kinda-sorta might be interesting to Linux and Mac users. In one, if you used a Windows desktop to ssh to a Linux server, the infected Windows machine could reveal the user name and password that you used from Windows. In the other, some idiots left the default admin user name and passwords on their routers, some of which run Linux. Surprisingly, if the bad guy knows your username and password, that's a bad thing no matter what operating system you use.

  9. Make VM OS read-only unless updating by raymorris · · Score: 1

    > suggests that using a VM obtains a measure of safety.

    You can make it almost perfectly secure by mounting Documents from another disk or image and marking the operating system VM read-only, or snapshotted so it reverts state on reboot.

    Toggle it read-write while you update the OS or install new software.

    1. Re:Make VM OS read-only unless updating by Gothmolly · · Score: 1

      Not a bad idea to keep things like /bin and /sbin and their brethren RO as well.

      --
      I want to delete my account but Slashdot doesn't allow it.
    2. Re:Make VM OS read-only unless updating by Opportunist · · Score: 1

      Nope. The current version of this piece of internet-pus walks down mounted network devices, too.

      So far they don't go for your network environment to hunt down unmounted shares. Not yet, at least.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Make VM OS read-only unless updating by Opportunist · · Score: 1

      While a good idea, it's not that easy for Windows users. Especially since the "basic" (aka "premium") versions of Win7 come even without the ability to limit execution of files in certain directories (which would surprisingly actually defeat this pus, at least the variants that I'm aware of, my knowledge in this area is a bit dated, though).

      Guess you have to pay extra with Microsoft if you want some semblance of security...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  10. Re:And how does it get these domains? by tlhIngan · · Score: 1

    They just need to register ONE of them to reestablish contact. They might even be able to use "domain tasting" to register a bunch and then cancel within 5 days.

    Domain tasting is no longer possible - ICANN started charging 25 cents per domain registration years ago to counteract domain squatting where they'd register a bunch of domains, see if they make money, and return them if they don't.

    By charging 25 cents always, it seems to have cut down the practice immensely because you need to register thousands of domains at a time, and that costs real scratch.

  11. Re:And how does it get these domains? by Opportunist · · Score: 1

    Peanuts compared to the revenue. We're talking millions here.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. read-only OS doesn't execute random files by raymorris · · Score: 1

    Suppose you have nastyshit.exe in your documents folder. How is it going to get executed? At boot, by a registry entry? Nope, because all the boot stuff, including the registry, is read-only. How did it get there in the first place? Not from malware resident on the system, because the system is read-only.

    1. Re:read-only OS doesn't execute random files by Opportunist · · Score: 1

      It got there using a buffer overflow in one of your outdated (read: 2 days since patch) software and also got executed that way. The downloader wrote it into your %appdata%\roaming folder (where it has write access without you needing elevated privileges) and got started likewise.

      Why files in %appdata%\roaming can be run at all? Ask MS. I don't see a good reason why files located there should be executable. Actually, there are very few areas in user-writeable areas where execution of files makes sense, and not allowing it would increase security of Windows by leaps and bounds.

      Sadly, you need at least Win7 Professional to make it so. Well, it is technically possible to get Win7 Home Premium to perform it, but the hassle is maybe not far away from having to reinstall the system and restore a backup if the malware strikes...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  13. Re:ANDROID proves you wrong by Dishevel · · Score: 1
    All I hear is ...

    "I'm a big man. Don't fuck with me. I can take out anyone. I am smarter than all."

    from an AC.

    Ok. You are awesome.

    Feel better?

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  14. Re:Yup, just like I thought... apk by Dishevel · · Score: 1
    Android is not Linux. It is forked off of Linux then has all kinds of phone only no security crap loaded. Still you could get really pedantic and state it is Linux anyways.

    But what you can not do is state that everyone with an Android phone is a Linux user. Just as people with a smart TV are not Linux users. Trying to equate people with phones to Linux users in order to "Destroy" my point only proves you have no leg to stand on.

    So go back into your parents basement and cry.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?
  15. Re:Ahem: Bullshit (Android IS a Linux variant) by Dishevel · · Score: 1
    And this movies is Based on that story.

    Again. People with Android phones are not Linux users. This is proven by the quote you pulled.

    Thanks for playing. You lose.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?