When a botnet uses a DGA (Domain Generation Algorithm) it is usually for the purpose of reconnecting "lost bots" or to avoid the need to have a hard-coded Command & Control server address. But in this case, the original GameOver Zeus can't be recaptured because all of the domains that can be generated by the GOZ DGA have been "locked up" by the FBI's case. The Temporary Restraining Orders (TRO) that were issued prevented any ICANN Registrar from registering any domain that would be used in the "near future" by the DGA. (By understanding the DGA you can feed it future dates so it can spit out the domains it will use later - at least many weeks worth of domains were included in the court order.)
The problem was that some of the original GOZ DGA domains were ".ru" and you can imagine that the Department of Justice really can't give orders about what happens with ".ru" domains. The TRO handled that aspect by ordering the largest ISPs in the US to forbid any of their customer computers from being able to talk to those domains.
Some of this was handled by routing DNS requests for these domains to.gov controlled computers while others were handled by ISPs and security companies monitoring for traffic trying to reach those domains and issuing information back to the customers to help them get their machines cleaned up.
(If you really want the geeky legal stuff, I wrote much more about that here: http://garwarner.blogspot.com/... )
Anyway, all of that to say, the *NEW* GOZ has a DIFFERENT DGA, but the *ORIGINAL* GOZ bots don't use that DGA, so there is very little chance of a reconnection. While Malcovery did prove that at least 5 of the 1,000 domains generated by the NEW DGA were ALSO on the old DGA, those domains are "locked up" as above and can't be used.
We've already had good response from the security community with people beginning to "sink hole" some of the newGOZ DGA domains to identify what level of infection there may be already and to work hard on terminating the handful of domains the criminals have registered from that list so far.
I hope that answered your question... I suppose the better answer might have been "No."
Gary Warner (full-disclosure - a Malcovery employee)
Actually I tried to give an example of how the Fast Flux works, both generally and in this specific case, on this blog post this morning:
http://garwarner.blogspot.com/...
Let me know if you still have any questions about it . . .
I read several books a week, but I get them at the library and when I buy, I first check Amazon's "Used Books" section.
When I do buy a new book, which I do a couple times a month, I donate them to my library when I'm done.
How do I donate my used eBooks from my Kindle? How do I buy a used eBook for my Kindle?
Does anyone have more information on the Hong Kong and Netherlands roles in this case? I blogged a summary of charges, including some of the SQL Statements the baddies were using to monitor, change limits on, and monitor "their" cards from the indictment here: CyberCrime & Doing Time. The part I'm trying to find more data on comes from this bit from the FBI Press Release:
Cooperation between the Hong Kong Police Force and the FBI also led to a parallel investigation, resulting in the identification and arrest of two individuals who were responsible for withdrawing RBS WorldPay funds from ATM terminals in Hong Kong. The Netherlands Police Agency National Crime Squad High Tech Crime Unit and the Netherlands National Prosecutor’s Office provided key assistance in the investigation.
Does anyone know what the Netherlands Police Agency contributed to the case? Does anyone have information on possible related arrests in Hong Kong?
Thanks!
GarWarner
Slashdot Mirror
When a botnet uses a DGA (Domain Generation Algorithm) it is usually for the purpose of reconnecting "lost bots" or to avoid the need to have a hard-coded Command & Control server address. But in this case, the original GameOver Zeus can't be recaptured because all of the domains that can be generated by the GOZ DGA have been "locked up" by the FBI's case. The Temporary Restraining Orders (TRO) that were issued prevented any ICANN Registrar from registering any domain that would be used in the "near future" by the DGA. (By understanding the DGA you can feed it future dates so it can spit out the domains it will use later - at least many weeks worth of domains were included in the court order.) The problem was that some of the original GOZ DGA domains were ".ru" and you can imagine that the Department of Justice really can't give orders about what happens with ".ru" domains. The TRO handled that aspect by ordering the largest ISPs in the US to forbid any of their customer computers from being able to talk to those domains. Some of this was handled by routing DNS requests for these domains to .gov controlled computers while others were handled by ISPs and security companies monitoring for traffic trying to reach those domains and issuing information back to the customers to help them get their machines cleaned up.
(If you really want the geeky legal stuff, I wrote much more about that here: http://garwarner.blogspot.com/... )
Anyway, all of that to say, the *NEW* GOZ has a DIFFERENT DGA, but the *ORIGINAL* GOZ bots don't use that DGA, so there is very little chance of a reconnection. While Malcovery did prove that at least 5 of the 1,000 domains generated by the NEW DGA were ALSO on the old DGA, those domains are "locked up" as above and can't be used.
We've already had good response from the security community with people beginning to "sink hole" some of the newGOZ DGA domains to identify what level of infection there may be already and to work hard on terminating the handful of domains the criminals have registered from that list so far.
I hope that answered your question ... I suppose the better answer might have been "No."
Gary Warner (full-disclosure - a Malcovery employee)
Actually I tried to give an example of how the Fast Flux works, both generally and in this specific case, on this blog post this morning: http://garwarner.blogspot.com/... Let me know if you still have any questions about it . . .
I read several books a week, but I get them at the library and when I buy, I first check Amazon's "Used Books" section. When I do buy a new book, which I do a couple times a month, I donate them to my library when I'm done. How do I donate my used eBooks from my Kindle? How do I buy a used eBook for my Kindle?
Does anyone have more information on the Hong Kong and Netherlands roles in this case? I blogged a summary of charges, including some of the SQL Statements the baddies were using to monitor, change limits on, and monitor "their" cards from the indictment here: CyberCrime & Doing Time. The part I'm trying to find more data on comes from this bit from the FBI Press Release: Cooperation between the Hong Kong Police Force and the FBI also led to a parallel investigation, resulting in the identification and arrest of two individuals who were responsible for withdrawing RBS WorldPay funds from ATM terminals in Hong Kong. The Netherlands Police Agency National Crime Squad High Tech Crime Unit and the Netherlands National Prosecutor’s Office provided key assistance in the investigation. Does anyone know what the Netherlands Police Agency contributed to the case? Does anyone have information on possible related arrests in Hong Kong? Thanks! GarWarner