Cisco Umbrella

Enterprise network security

Threats

Gameover ZeuS Switches From P2P to DGA

By Andrew Hay

Though Operation Tovar succeeded in temporarily cutting communication between Gameover ZeuS (GoZeus) and its command and control infrastructure, it appears now that GoZeus has migrated from using peer-to-peer communications to domain generation algorithms (DGAs).
According to research by our friends over at Malcovery, a “new trojan based heavily on the GameOver Zeus binary…was distributed as the attachment to three spam email templates.” In the report, several domains were identified as being the destination of the infected malware’s communications. The most active of the DGAs was one that we at OpenDNS identified on the day it was registered – cfs50p1je5ljdfs3p7n17odtuw[dot]biz.
ani
As you can see, the traffic to the domain starts off with a small number of queries (10) on Thursday, July 10 at around 15:00 UTC. A larger jump to 884 queries doesn’t happen until Friday, July 11 at around 6:00 UTC. At peak (on Friday, July 11th at 10:00 UTC) we see a spike of 10,042 queries for cfs50p1je5ljdfs3p7n17odtuw[dot]biz.
The domain in question is associated with a number of IP addresses (as seen below) and have a very low TTL.
Screenshot 2014-07-11 08.35.23
Three of the IP addresses have also been identified by OpenDNS Labs over the past week as being malicious. All of the IP addresses associated with the domain are located within the Ukraine.
176.8.154.150
81.163.142.143
31.129.65.152
The name server (NS) associated with the domain is also highly suspicious. The IP range is associated with AS 3462 and is hosted in Taiwan (TW) – quite the distance from the hosting location in the Ukraine. The IP address is also associated with suspicious name servers for a number of Russian (.ru) servers.  A quick scan of some of the other domains hosted by the IP shows a handful of DGAs and Russian (.ru, .su), Kazakhstan (.kz), and Indian (.in) ccTLDs.
ns118.171.163.153
One last nugget of intel is some of the scoring that OpenDNS assigns to the domain, its associated IPs, and related ASNs.
Screenshot 2014-07-11 08.48.23
Hopefully this information has helped you better understand the methodologies employed by GoZeus users. Using OpenDNS Investigate, we were able to derive additional intelligence from our global DNS data and shed some additional light on the communication channels.
All OpenDNS users are already protected against the identified domains in the Malcovery report. Should you have any additional questions, please do not hesitate to reach out to us.
Additional Refernces: