Forgot your password?
typodupeerror
Botnet Security

Gameover ZeuS Re-Emerges As Fast-Fluxing Botnet 62

Posted by Soulskill
from the game-not-quite-over-after-all dept.
New submitter tylke (621801) writes: "Brian Krebs is reporting that the Gameover ZeuS botnet recently taken down by the U.S. Justice Department in June has re-emerged. The new variant of the Trojan is "stripped of the P2P code, and relies instead on an approach known as fast-flux hosting," a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind a network of compromised systems. Krebs says, "[T]his variant also includes a 'domain name generation algorithm' or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters). In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there." (Disclosure: I work for Malcovery Security, the company credited with identifying the new variant.)
This discussion has been archived. No new comments can be posted.

Gameover ZeuS Re-Emerges As Fast-Fluxing Botnet

Comments Filter:
  • 'fast fluxing' is the result of zombiefied router storms gone rouge.
  • The article from Brian Krebs seems to indicate that this new variant of Gameover can interface with the old one somehow, and be used to recover all of the infected computers that were part of the original Gameover botnet. Is this true, or is this an attempt to re-build the Gameover Zeus botnet from scratch?

    • When a botnet uses a DGA (Domain Generation Algorithm) it is usually for the purpose of reconnecting "lost bots" or to avoid the need to have a hard-coded Command & Control server address. But in this case, the original GameOver Zeus can't be recaptured because all of the domains that can be generated by the GOZ DGA have been "locked up" by the FBI's case. The Temporary Restraining Orders (TRO) that were issued prevented any ICANN Registrar from registering any domain that would be used in the "near f
  • Fast Flux (Score:4, Informative)

    by Himmy32 (650060) on Friday July 11, 2014 @02:12PM (#47432907)
    The article linked to Wikipedia on what Fast Flux was:

    The basic idea behind Fast flux is to have numerous IP addresses associated with a single fully qualified domain name, where the IP addresses are swapped in and out with extremely high frequency, through changing DNS records.

    In case anyone else didn't know that was Fast flux was.
    • The idea behind fast-flux is to make blocking or recognizing an activity based on IP addresses essentially impossible, since by the time the bad IP address is known, communicated, and entered into whatever system is doing the blocking or detection, the addresses have changed to a new set and the race starts over. 5 to 15 minutes is a common rolling period for these people.
    • Actually I tried to give an example of how the Fast Flux works, both generally and in this specific case, on this blog post this morning: http://garwarner.blogspot.com/... [blogspot.com] Let me know if you still have any questions about it . . .
  • I stopped paying attention to botnet stories a few years ago. Are botnets still always on Windows or do Unix users (Mac, Linux) have to worry too? If it's still all Windows then I'm going to stop paying attention again.

    • by Albanach (527650)

      Of course linux is targeted. There are large numbers of linux servers, with fast processors and very fast high capacity network connections. Making matters worse, because they often to run important services, people may be slower to upgrade packages/kernels.

      I don't know about this particular botnet, but it's been a long time since saying "I don't run windows" counted as a security strategy.

      • There was even an almost pure UNIX botnet, that has pinged every ipv4 address in the world.

        • Assuming we are talking about the same botnet, if i remember reading about it correctly it used a list of defualt passwords. If you are using a defualt password on any system you are going to get pwned hard.

    • This botnet, like the one the malware based on, is Windows only. The botnet that was used to seed this one is also Windows only.

      There have been two botnets that kinda-sorta might be interesting to Linux and Mac users. In one, if you used a Windows desktop to ssh to a Linux server, the infected Windows machine could reveal the user name and password that you used from Windows. In the other, some idiots left the default admin user name and passwords on their routers, some of which run Linux. Surprisingly,

  • by Anonymous Coward

    all 42 horcruxes

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...