“Gameover” malware revival – is it really up from the canvas?


When we talk about “the XYZ malware,” especially when law enforcement conducts some sort of takedown, we never literally mean “one piece of malware.”

We’re just using synecdoche, which is the dinner-party way of referring to a figure of speech where you let a part refer to the whole.

In the same way that we casually use the word virus these days to talk about malware in general, rather than just the special sort of malware that spreads by itself, so we talk about Zeus and Gameover to mean a whole raft of malware produced as part of extensive cybercrime operations.

Indeed, SophosLabs encounters hundreds of thousands of distinct new malware samples per day, although that’s just the count of different files we process.

→ In this context, different could be two all-but-identical files of the same malware family that differ in a single byte, or two completely unrelated samples in different programming languages for different platforms. Thanks to proactive detection, you don’t need 100,000 updates each day to track all these new samples. Most of them get mopped up automatically because they’re what you might call “derivative works”. That number is just a reminder that once cybercriminals see that a strain of malware is making them money, they’ll keep on plugging away with it.

So we were delighted to write, in early June 2014, about the takedown of a sizeable part of the criminal infrastructure behind the Gameover botnet and the CryptoLocker ransomware.

We didn’t for a moment think that this takedown would be a permanent cure, because it wasn’t really a cure at all: pulling the plug on the servers at the heart of a botnet usually delivers it an energy-sapping body blow, but isn’t a knockout punch.

To get rid of a botnet altogether, you really need to knock out the individual bots, or infected computers, that make up the network in the first place.

We were therefore disappointed, but sadly not surprised, to see Gameover return at the end of last week, pushed out in a spam campaign in which it masqueraded as an account statement.

The idea is that you’d know you didn’t make the relevant payment, and so good sense would say, “Let me review the statement and get ready to dispute it.”

Of course, the attachment wasn’t a document at all, but a thinly-disguised executable, so opening it would have invited Gameover onto your computer.

As you can imagine, the question that a number of people have asked us is, “Was this a one-off, or a genuine Gameover comeback?”

It’s too early to say for sure, but I am sorry to tell you that it looks like the latter.

SophosLabs has already noticed a tweaked variant of the “new” Gameover that attracted our attention even though we detected it proactively.

Instead of trying 1000 randomly generated domain names per day, in the hope that one or two will have been “lit up” by the botmasters to serve up command-and-control instructions, the tweaked variant tries 10,000.

Additionally, the starting point for the daily random lists has been tweaked by changing a hard-coded seed constant in the malware.

And, lastly, a dormant feature in the initial variant of “new” Gameover has been brought to life, so that the malware always tries one hard-coded domain name first, just in case.

If you would like to check for lookups in your own DNS logs, the hard-wired domain in the sample we’re writing about here is:

dlm0ls1vq66ou15zih0n1nqo9nh  dot  org

By the way, don’t use that domain name as a touchstone for infection: if you see it, you almost certainly do have an infected computer inside your network, but as the name is easy for the crooks to change in future variants, absence of evidence is not evidence of absence.

And if you’d like to check for new malware on your computer, or if you want to help out friends and family who rely on you for computer security advice, why not try our free Virus Removal Tool?

Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)

Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.

Click to go to download page...

Image of KO punch courtesy of Shutterstock.