Crooks Reanimate A Dead Botnet To Target High-Value Bank Accounts

In something that sounds like the plot of a Hollywood movie, hackers have reanimated an apparently dead botnet called Gameover Zeus even as malware researchers dismantled the previous version of the network.

The botnet, essentially a collection of zombie computers that can be activated to perform denial of service attacks on banks and other financial firms in order to hide thefts from account holders, was torn down in June.

According to Brian Krebs, the tools used to build the network have been slightly improved to allow them to recreate the network without the original command and control structure. He writes:

Warner said the original Gameover botnet that was clobbered last month is still locked down, and that it appears whoever released this variant is essentially attempting to rebuild the botnet from scratch. “This discovery indicates that the criminals responsible for Gameover’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers and takedowns in history,” [Gary Warner of Malcovery] said.

The network is just one part of the criminal scam. First, hackers break into a bank account – they’ve allegedly taken $100 million so far – to grab the cash and transfer it to their own accounts. While this is happening, the hackers point the botnet at the user’s own servers to prevent them from seeing the theft until it is too late. The Gameover Zeus botnet, then, is a sort of smoke screen to keep things under cover until the hack is over.

Malcovery has a complete rundown of the botnet and shows the spam that it sends to lure users and the fake files it uses to hack into zombie computers.

The original botnet died when law enforcement took over the command and control of domain names. Now, however, the new botnet uses seemingly random domain names for command and control.

As Malcovery writes, “this discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”

It’s a fascinating look at a powerful DDoS tool and the lengths crooks will go to keep these things alive.