Bitdefender discovers two Gameover Zeus variants targeting Europe and beyond

Send to friend

Creator of antivirus solutions, Bitdefender, has identified two Gameover Zeus variants in the wild: one of them generates 1,000 domains per day and the other generates 10,000 per day. Bitdefender warns that the UK is currently the 6th most infected country with 42 unique IPs to date and that there is growth potential with new control domains continuing to be registered.

Following OpenDNS highlighting that Gameover Zeus had started to use Domain Generation Algorithms (DGAs), Bitdefender spotted that the generated domains were only active for one day each. By 'sinkholing' a particular domain, the antivirus company has been able to observe the botnet's structure and activity for the corresponding day.

"It seems that the recent Gameover Zeus takeover attempt has yielded less-than-perfect results," states Catalin Cosoi, Chief Security Strategist at Bitdefender. "Further research and international co-operation seem to now be needed to stamp out this menace once and for all."

After sinkholing five domains on five different days for each of the two botnets, Bitdefender has drawn several conclusions, notably that the botnets corresponding to those two DGAs are very different when it comes to countries of interest.

The first version has a bigger infection density in the US, which is to be expected as most of the malware families extort money from there. 83.7% of the 5,907 unique IPs that contacted Bitdefender's sinkhole were received from the US (see Figure 1). However, the second version is, without question, targeting Ukraine and Belarus, with 70.7% of 4,316 unique IPS emerging from these countries (see Figure 2).

Although there have been multiple domains registered for the botnet targeting US lately, Bitdefender has found none for the botnet targeting Ukraine and Belarus, meaning that no-one is using the bots at this moment. However, the bot-net could find itself with a new master at any point in the future.

Figure 1: Top 10 countries infected by Gameover Zeus containing the first version of the DGA

Place Country Number of Unique IPs Distribution
1 United States 4.936 83.7%
2 India 195 3.3%
3 Singapore 76 1.3%
4 Japan 62 1.1%
5 Germany 44 0.7%
6 United Kingdom 42 0.7%
7 Russia 41 0.7%
8 China 28 0.7%
9 Turkey 26 0.4%
10 Mexico 25 0.4%

Figure 2: Top 10 countries infected by Gameover Zeus containing the second version of the DGA

Place Country Number of Unique IPs Distribution
1 Ukraine 1.854 43%
2 Belarus 1.192 27.7%
3 Turkey 244 5.7%
4 Azerbaijan 222 5.1%
5 Kazakhstan 118 2.7%
6 Russia 88 2%
7 Kyrgyzstan 83 1.9%
8 Indonesia 60 1.4%
9 Moldova 57 1.3%
10 Germany 55 1.3%

Comments (0)

Add a Comment

This thread has been closed from taking new comments.