Two Gameover Zeus variants, with one generating 1,000 domains per day and the other 10,000 per day, are out there targeting the U.S. and Europe.
Following OpenDNS highlighting that Gameover Zeus had started to use Domain Generation Algorithms (DGAs), security provider Bitdefender spotted the generated domains were only active for one day each. By sinkholing a particular domain, the antivirus company has been able to observe the botnet’s structure and activity for the corresponding day.
“It seems that the recent Gameover Zeus takeover attempt has yielded less-than-perfect results,” states Catalin Cosoi, chief security strategist at Bitdefender. “Further research and international co-operation seem to now be needed to stamp out this menace once and for all.”
After sinkholing five domains on five different days for each of the two botnets, Bitdefender came to several conclusions, the botnets corresponding to those two DGAs are very different when it comes to countries of interest.
The first version has a bigger infection density in the U.S., as most of the malware families extort money from there. 83.7 percent of the 5,907 unique IPs that contacted Bitdefender’s sinkhole ended up received from the U.S. However, the second version is, without question, targeting Ukraine and Belarus, with 70.7 percent of 4,316 unique IPS emerging from these countries.
Although there have been multiple domains registered for the botnet targeting the U.S. lately, Bitdefender has found none for the botnet targeting Ukraine and Belarus, meaning that no one is using the bots at this moment. However, the botnet could find itself with a new master at any point in the future.