“Gameover” malware returns from the dead…

In early June 2014, international law enforcement agencies combined to carry out a hugely successful action called Operation Tovar against the cybercrime group behind the malware family known variously as Gameover, Gameover Zeus or GOZ.

The operation was a success, shutting down activity from the Gameover botnet for the past month.

Botnets, don’t forget, are collections of malware-infected computers, individually referred to as bots or zombies, that can be controlled remotely by criminals known as bot-herders or botmasters.

As well as stealing information such as banking passwords from each computer in the botnet, the crooks can also send commands to all the computers in the botnet at the same time, essentially giving them a huge distributed “network cloud” of computing resources.

Botnets can therefore be used to send massive quantities of spam (including spam runs containing email attachments with more malware), to clock up huge numbers of fraudulent but legitimate-looking ad clicks, to carry out online attacks, and more.

Attacks of this sort are hard to block because they originate simultaneously from thousands of innocent-looking computers, so there isn’t a single, obvious source of criminality.

Sadly, it looks as though Gameover is back.

So far, SophosLabs has only seen a few samples of the new version, but it has been distributed through widespread spam campaigns, so the number of infections may already be large.

Typical Gameover spams include an attachment pretending to be an account statement, with a message body like this:

First of all, let’s take a look at why we think this a new Gameover variant and not malware from some other family.

Gameover has scrambled most of its text messages (strings, in programming parlance) using a custom algorithm that has been the same since the source code to the original Zeus was leaked in 2011.

This algorithm and the string table is still present in this new version and we can see that the decrypted strings are the same as those in earlier Gameover variants.

In particular, the strings around _SUBBOTNET_ are the same as before:

However, there are some key differences between this version and previous ones.

The Necurs rootkit that we wrote about in February 2014 has been abandoned.

This is an interesting move, as the rootkit was introduced as a way of making removal more difficult.

Without it, Gameover can be cleaned up simply deleting the .EXE file containing the malware and rebooting.

The second key change is that the peer-to peer protocol that was used as a primary means of controlling the botnet is no longer used.

→ A peer-to-peer (P2P) bot doesn’t rely on a pre-configured list of command-and-control (C&C or C2) servers to contact for instructions on what to do next. Infected computers can search out and connect to other bots in the botnet to fetch commands, making the botnet as a whole much more resistant to a takedown of one or more of the centralised C&C servers.

We can still see evidence of the P2P protocol commands in the malware program, but the sample is not seeded with a starting list of peer addresses, and the code that attempts to find and use peers in the botnet is absent.

Again, this is a strange development, because using P2P for command-and-control definitely makes the botnet more robust.

The previous version used a domain generation algorithm (DGA) as a fallback command-and-control mechanism if no nodes in the P2P network could be reached.

The latest version now uses a DGA only, and the DGA has been changed so that a different set of domains are generated.

The new DGA can generate up to 1000 possible domains per day.

The algorithm works by taking a random number between 0 and 999 and creating an MD5 hash that includes the current year, month, day and a 32-bit value that is embedded in the malware executable.

The hash is then expanded so that each block of 4 bytes in the hash is replaced with a variable number of characters that can include any digit or lower case letter (i.e. from 0..9 and a..z).

The next domain is generated by incrementing the initial number between 0 and 999 that was fed into the algorithm.

A top-level domain suffix is then appended, with the malware choosing from: .com, .org, .biz and .net.

Some examples for 2014-07-12:

9y4o5311fkdbzc67z7c13hordw  dot  biz
akz0c6kalkpi1xzj08m190womc  dot  org

We generated the domains that will be used over the next few days and found that only a small number were were alive for the first day.

At the time of writing (2014-07-12T16:00Z), no domains for subsequent days were resolving.

This suggests that the Gameover operators are not showing their hand yet, thus keeping the list of domains that they intend to use each day confidential until close to the time that they are needed.

This “new” version of Gameover seems to be a backwards step in many respects, rather than an evolution.

We do not know if it is being operated by the same people that were indicted last month, or a subset of them, or indeed a different group altogether that has obtained the Gameover source code.

But we will be monitoring developments very closely to see if we really are witnessing the rebirth of Gameover, or if this variant will fizzle out, effectively killing off the botnet once again.

Note. Sophos products block the malware described in this article as Troj/HkMain-AQ. Other names you may see due to proactive detection of malware in the Gameover family include Mal/Zbot-HX, HPmal/Zbot-C and HPmal/Zbot-F.