"Gameover" malware revival - is it really up from the canvas?

Filed Under: Botnet, Featured, Law & order, Malware

When we talk about "the XYZ malware," especially when law enforcement conducts some sort of takedown, we never literally mean "one piece of malware."

We're just using synecdoche, which is the dinner-party way of referring to a figure of speech where you let a part refer to the whole.

In the same way that we casually use the word virus these days to talk about malware in general, rather than just the special sort of malware that spreads by itself, so we talk about Zeus and Gameover to mean a whole raft of malware produced as part of extensive cybercrime operations.

Indeed, SophosLabs encounters hundreds of thousands of distinct new malware samples per day, although that's just the count of different files we process.

→ In this context, different could be two all-but-identical files of the same malware family that differ in a single byte, or two completely unrelated samples in different programming languages for different platforms. Thanks to proactive detection, you don't need 100,000 updates each day to track all these new samples. Most of them get mopped up automatically because they're what you might call "derivative works". That number is just a reminder that once cybercriminals see that a strain of malware is making them money, they'll keep on plugging away with it.

So we were delighted to write, in early June 2014, about the takedown of a sizeable part of the criminal infrastructure behind the Gameover botnet and the CryptoLocker ransomware.

We didn't for a moment think that this takedown would be a permanent cure, because it wasn't really a cure at all: pulling the plug on the servers at the heart of a botnet usually delivers it an energy-sapping body blow, but isn't a knockout punch.

To get rid of a botnet altogether, you really need to knock out the individual bots, or infected computers, that make up the network in the first place.

We were therefore disappointed, but sadly not surprised, to see Gameover return at the end of last week, pushed out in a spam campaign in which it masqueraded as an account statement.

The idea is that you'd know you didn't make the relevant payment, and so good sense would say, "Let me review the statement and get ready to dispute it."

Of course, the attachment wasn't a document at all, but a thinly-disguised executable, so opening it would have invited Gameover onto your computer.

As you can imagine, the question that a number of people have asked us is, "Was this a one-off, or a genuine Gameover comeback?"

It's too early to say for sure, but I am sorry to tell you that it looks like the latter.

SophosLabs has already noticed a tweaked variant of the "new" Gameover that attracted our attention even though we detected it proactively.

Instead of trying 1000 randomly generated domain names per day, in the hope that one or two will have been "lit up" by the botmasters to serve up command-and-control instructions, the tweaked variant tries 10,000.

Additionally, the starting point for the daily random lists has been tweaked by changing a hard-coded seed constant in the malware.

And, lastly, a dormant feature in the initial variant of "new" Gameover has been brought to life, so that the malware always tries one hard-coded domain name first, just in case.

If you would like to check for lookups in your own DNS logs, the hard-wired domain in the sample we're writing about here is:

dlm0ls1vq66ou15zih0n1nqo9nh  dot  org

By the way, don't use that domain name as a touchstone for infection: if you see it, you almost certainly do have an infected computer inside your network, but as the name is easy for the crooks to change in future variants, absence of evidence is not evidence of absence.

And if you'd like to check for new malware on your computer, or if you want to help out friends and family who rely on you for computer security advice, why not try our free Virus Removal Tool?

Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Click to go to download page...

Image of KO punch courtesy of Shutterstock.

, , , , ,

You might like

5 Responses to "Gameover" malware revival - is it really up from the canvas?

  1. VL-S · 77 days ago

    My experience with Sophos Virus Removal Tool on Windows 8 is as follows...

    Although it will request an admin password if one is not running at admin level I would recommend switching to an admin account first and then install.

    I found this particularly important during an upgrade. I attempted an upgrade under a non-admin account. The program seemed to partially delete the older version but then baulked at installing the new version complaining the old version still existed. Only when I switch to the admin account did the upgrade succeed.

    When running SVRT I will log out of all accounts then log in as admin. In this way it it can run pretty much unencumbered when left on its own overnight.

    Used in conjunction with McAfee (purchased at a heavy discount) I have to this day not been bothered by a virus.

    Of course I also follow the advice not to clink on e-mail links. Sophos excluded :)

    • Paul Ducklin · 77 days ago

      You know (I can't resist mentioning this - hope it's not crassly commercial), if you use our UTM Home Edition you get up to 12 licences for Sophos Anti-Virus for Windows as well, at a total discount, i.e. free :-)

      See the sidebar to the right hand side just above the comments...

      • Adrian · 77 days ago

        That is so unlike you Paul! What did they do, offer a bonus per nice thing you say about the company?

        (For those that have not heard Paul present in real life, he almost never says nice things about companies... not even S.)

      • VL-S · 76 days ago

        Paul...not at all crass. I am heading there. I have been a Sophos supporter for more than a decade.

        McAfee is a very brief stop gap as I consider my hardware set up. The UTM server will reside in the basement as this is the entry point for the internet cable. My town house spans four levels all wired for coax so instead of trying to blast a wireless signal throughout the place I am considering an Ethernet to coax distribution system. For security reasons I prefer to go wired in my home office. But since I also develop Android applications some wireless will be unavoidable.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog