NEWS FROM THE LAB - Wednesday, September 5, 2012

Gameover ZeuS Posted by ThreatResearch @ 11:41 GMT

Excerpted from from our Threat Report H1 2012:

In the last year ZeuS has separated into more than one separately developed crimeware families after the source code for version was leaked. An interesting development is a peer-to-peer version of ZeuS, which has been dubbed "Gameover".

The Gameover peer-to-peer (P2P) version was the second ZeuS derivative to appear in the wild and uses a peer-to-peer network to fetch configuration files and updates from other infected computers. The extensive changes incorporated into the derivative focus almost exclusively on the configuration file, and appear to be aimed at hindering retrieval and analysis. Many of the changes are to code sections that have been unaltered for years, such as the binary structure and compression method, which has not changed since 2008 (version 1.2).

The date this version was released to the public can be estimated from the registration data for the domains created by its Domain Generation Algorithm (DGA). The trojan uses these domains as "backup servers" if it cannot connect to other machines on the P2P network. As the first domain registration occurred on September 5th 2011, the trojan was likely let loose close to that date. These backup servers only host another list of infected machines from which the trojan could retrieve the actual configuration file. This backup system means that the configuration file is never stored on an external web server, but is handled entirely within the botnet itself.

All analyzed P2P samples have contained the same RSA public key used to check the digital signatures of incoming files.

Other botnet specific encryption keys have also been the same. We conclude that the P2P version must therefore be a private one and the kit used to create the trojans has not been resold further. This also means that all of these trojans link to the same botnet, which is controlled by a single entity. Based on the extensive changes and relatively short time it took for this version to appear after the source code leak, it is probable that the P2P version was not created by an outsider working from the leaked code. It is a logical, carefully crafted evolution of the ZeuS code and could perhaps even be called ZeuS 3. While there is no way to identify its author, it is certainly plausible that it is the same person who was behind the original ZeuS 2.

ZeuS Distribution, April - May2012

Download the full Threat Report from here.