07-11-2014 05:52 AM
Well we knew it would not be long before they started to make a comeback, a bit more than the forecast 2 weeks forecast
"Like the original Gameover, however, this variant also includes a “domain name generation algorithm” or DGA, which is a failsafe mechanism that can be invoked if the botnet’s normal communications system fails. The DGA creates a constantly-changing list of domain names each week (gibberish domains that are essentially long jumbles of letters).
In the event that systems infected with the malware can’t reach the fast-flux servers for new updates, the code instructs the botted systems to seek out active domains from the list specified in the DGA. All the botmasters need to do in this case to regain control over his crime machine is register just one of those domains and place the update instructions there.
Warner said the original Gameover botnet that was clobbered last month is still locked down, and that it appears whoever released this variant is essentially attempting to rebuild the botnet from scratch. “This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history,” Warner said."
07-11-2014 10:21 AM
But analysing Malcovery's discovery, Webroot threat researcher Roy Tobin down-played the significance of the report.
He told SCMagzineUK.com via email: “The botnets that were taken down recently will no doubt be rebuilt by the criminals. As for what we are seeing now, there are a huge number of variants of this malware, each one can be custom-designed to fit a certain purpose. For instance a few months ago they were dropping Cryptolocker, which itself will no doubt come back to the front soon.”
Tobin added: “This particular variant of Zeus malware has been seen in the wild using various different file names (MIDO.exe, etc) but it follows the usual Zeus behaviour in that it creates a registry run key. We have seen a huge number of this type of infection over the last few months.”