Thwarting Zeus Gameover’s Extra Life with SLIC by Brandon Tansey

Almost a month ago to the day, Lancope posted a blog about Operation Tovar’s disruption of Zeus Gameover and CryptoLocker. At the time, the future of Gameover was unsure, however the UK’s National Crime Agency warned that the relief provided by the disruption might only be temporary.

A month has passed and the disruption still holds strong; the original Zeus Gameover botnet (as well as CryptoLocker) has remained pinned down. Unfortunately, a very closely related successor has appeared.

Late last week, Malcovery Security reported on a ‘mutated’ Gameover. In addition to Malcovery’s post, a follow-up report by Brian Krebs stated that “the malware shares roughly 90 percent of its code base with Gameover Zeus.” While the two malware variants are related and very similar, there are a few things that require distinction. For that reason, we’ve begun calling the new Zeus Gameover variant “Extra Life” to avoid confusion.

As with any newly discovered malware, there is still analysis to do. However, it appears that the main difference between the two malware variants is their method of command-and-control. An interesting aspect of Gameover was its use of peer-to-peer communication as a primary method of C2. Extra Life appears to have forsaken this P2P C2 in favor of “fast-flux” domains supported by a domain generation algorithm (DGA).

We discuss DGAs at length in this video and in this blog post, but in short: a DGA determines all of the domains the associated malware will try to contact for C2, and possessing the DGA embedded in a particular type of malware allows you to know those domains in advance.

Earlier this morning, we began to include the domains from Extra Life’s DGA in our StealthWatch Labs Intelligence Center (SLIC) Threat Feed. Since Extra Life operates without the P2P C2 seen in Gameover, all infections will try to reach out to domains generated by the DGA, so we’re excited to be able to provide this coverage to our customers so early in the timeline of this new malware.

Existing SLIC Threat Feed subscribers should already be receiving these Extra Life indicators with their regular SLIC updates. If you’re not a subscriber and would like more information on the SLIC Threat Feed, click here.