In late May 2014, the US Department of Justice, FBI, and several security companies carried out “Operation Tovar” aiming at dismantling the infrastructure of Zeus GameOver (we’ll call it oldGOZ), Cryptolocker, and the prosecution of actors identified to be behind the malware operations .
In early July, a new variant of GOZ (we’ll call it newGOZ) delivered via spam emails was detected by security researchers . This new variant relinquished the P2P feature and resorted to using CnCs hosted initially on a known fast flux proxy network  then subsequently on isolated IPs. This fast flux proxy network turns out to be multi-purpose and quite versatile and it was the subject of an extensive several months-long study that we covered first at BSides NOLA 2014 in May in our talk “Quest for Botnets using DNS”  and later in our talks at BlackHat  and DefCon  in August 2014.
In this blog post Anthony Kasza and I (Dhia Mahjoub) analyzed the traffic of oldGOZ and newGOZ domains in an effort to shed some light on the current status of infections. We will also provide some analysis about patterns in newGOZ domains registrations.
In the legal documents released in June by the DOJ following the takedown , 25662 oldGOZ DGA domains are cited in the Appendices. At the moment of this writing, 33% of these domains are nxdomains, and the remaining 66% are resolving to sinkholes or parking IPs. In the past month, we’ve observed about 5000+ of the cited domains having non-negligeable traffic. We also regularly observe traffic to a large number of oldGOZ domains not cited in the Appendices.
Traffic patterns of Zeus GameOver domains
For any oldGOZ domain, we currently observe a traffic spike that lasts for 4 days before dying out (See Figure below).
Whereas, for newGOZ domains we see a traffic spike of 24 hours for the domains of a particular day.
The co-occurences model can help us separately grab the clusters of oldGOZ or newGOZ domains of the day.
We were interested in checking the client IPs looking up oldGOZ and newGOZ domains for specific days and to see if there is any overlap. For that we considered a set of 2000+ oldGOZ domains that started having traffic on Sep 8th and lasted for 4 days (Sep 8,9,10,11) and 4 more sets of 1000 newGOZ domains each corresponding to Sep 8,9,10 and 11th.
Over the period of four days, there were 1797 unique IPs querying oldGOZ domains and 961 IPs querying newGOZ domains. 47 IPs were common to these two sets which might indicate that these overlapping IPs are infected with the two GOZ variants or that they are public facing IPs (considering NAT) to systems running both variants.
Geo distribution of GOZ client IPs
In the first map, we show the geographical distribution of client IPs querying oldGOZ during the 4 days period. We see a majority of infections still existing in Turkey, USA, India, Egypt and Indonesia.
In the second map, we show the geographical distribution of client IPs querying newGOZ during the 4 days period. We see a majority of lookups from Great Britain, USA and India.
In the third map, we show the 47 client IPs that looked both oldGOZ and newGOZ domains during Sep 8, 9, 10, 11th (total common IPs in the table above). We see a majority of infected machines located in USA and India (similar stats appeared in ).
newGOz domains registration
A sample data set of newGOZ domains was collected from our query logs and Whois data ranging from August 20 through September 1.
14 registrars were used to register 72 domains. The domains had a mean creation to query spike time of about -20 hours (meaning the domain was registered 20 hours before OpenDNS saw the first query spike for the domain name). Query spikes occur when query volumes for a domain grow exponentially within a short amount of time and then drop suddenly. The growth period is relative to the domain’s “life” within the DGA algorithm. Below is an example of the query spike seen for one such Gameover Zeus domain (xsz2ci17qx2793ylfyn8rrc1v[.]biz).
Analyzing creation time to query spike time deltas, we were able to identify a pattern in domain creation to query spike time which allowed us to accurately determine with high confidence if a domain was registered by security researchers or malicious actors. If a domain was registered more than one hour before the first query spike seen by OpenDNS, the registrant is likely not malicious. Domains registered the hour before the first query spike or the hour of the first query spike (just in time registration) correspond to real CnC.
Below is a time series showing the creation time to query spike time differences. Domains with creation date and first query time near or overlapping each other are just in time domain registrations.
Of the 72 domains, 60 domains either were registered using privacy protection to hide the registrant contact’s email address or belonged to security researchers.
The 12 email addresses used to register the domains, which fell into neither of the previous categories, were inspected further.
While one of the email addresses of the 12 registered two Gameover Zeus domains, three of the 12 email addresses registered one additional domain (with query volumes being extremely low). One of the domains ulticoms[.]net acted as a name server for Shylock domains and has since been taken down as shown in one of the Exhibits  accompanying the complaint filed by Microsoft against the Shylock botnet operators in July 2014 .
For the remaining two domains (gamesfather[.]net and barocoa[.]net), we are not sure if they are part of the Gameover Zeus campaign or not. The email addresses used to register these two domains could have been compromised accounts or could have been created strictly for registering GOZ domains. Either way, the two domains are highly suspect, and we will continue to monitor them in the hopes of confirming them as malicious or benign. If you have any additional information on the domains in question we’d love to hear from you.