GOZ is Back in a New and Powerful Avatar

An ongoing study reveals that newGOZ, the hottest incarnation of Zeus, makes use of a domain generated algorithm instead of the previously-used P2P command-and-control system. This significant change can force the cybercriminals to work overtime.

The security firm Arbor Networks reveals that this latest change in newGOZ has increased the infection rate by 1,879 percent. This steep rise has defied all attempts made by law enforcement agencies to control these attacks.

The US Department of Justice took help from private security companies and foreign law enforcement agencies, and was successful in controlling the botnet in June. By the time the botnet came under control, the number of infected machines had reached somewhere between 500,000 and one million, with nearly 25 percent of them belonging to the US.

Later, on July 11, a team of experts from Malcovery Security spotted a new GOZ variant, which used a Domain Generation Algorithm (DGA) instead of P2P-based command-and-control structure.

Dave Loftus and Dennis Schwartz, research analysts at Arbor Networks, have revealed that the DGA behind GOZ will give extra work to the developers of the malware, and they might have to begin again from the starting line.

The new DGA technology makes use of random seed data to come up with a random domain name. In case the generated domain name doesn’t work, the process is repeated with an incremented seed until an appropriate domain is finally generated.

According to the researchers, this data-based algorithm technique gives the hackers a clear shot at the target. Its predictability also helps the researchers in gauging the size of the botnets that are using them.

Three weeks of study about newGOZ data by Loftus and Schwartz revealed that as many as 12,300 individual IPs were used that came from different parts of the world.

A major finding of this analysis by Arbor Networks was that newGOZ is still far behind the older P2P version in terms of the number of infected systems.

According to Guy Bunker, the vice president at Clearswift, the major task for the attackers would be to ensure that the malware stays under their control and resists any takedown operations of the government.

He explained the method by saying that the new variant makes use of fast flux, in which the malware hides behind the changing IP addresses and proxies. Using this method, by the time a control server is detected, it has already been changed. This will help the attackers act faster than the authorities, and thus leave without getting caught.

This technique would make life hard, especially for the companies that made use of IP addresses to block malware containing sites. Since the malware would change IP address quickly, it would be difficult for such organizations to secure their processes.

According to him, DDoS and spam are the most common motives behind hacking incidents that use botnets. There are also some botnets that hunt for critical information, including bank account and credit card details; and for them, the data needs to be well protected. One of the ways suggested by Bunker was blocking of data transfer. After putting a block, if any data transfer attempt is made, it would raise an event, which could be monitored. If there is a series of such attempts, it could mean the presence of an infection, which could then be removed.

He said that cyberattackers possess a large variety of malware code. They can easily refurbish the old versions and make them even deadlier. With such a critical situation at hand, the authorities must be ready to face the future challenges that might be even more threatening.

While the current status of newGOZ may not ring alarm bells, this malware is steadily spreading and may gain gigantic proportions in the near future.

The best form of defense against this malware is using multiple layers of security, including educating users regarding phishing, patching, and updating the OS and applications. The newGOZ malware is found to attack previously known vulnerabilities, so updated applications and software would help in protecting many machines.

The experts at Arbor Networks are doing their bit by updating the GOZ domain name list every four days to identify any pattern in the growth of the botnet.

These experts revealed that while the number of infected machines was just 429 on July 21, it rose up after a major spam distribution campaign. In just a few days, this number reached 8,494 on July 25, with most of the infected machines located in the US.

While the primary focus of cyberattackers at present seems to be on evolving the botnet rather that extracting money, it won’t be long before they get down to their real purpose of slicing off major bank balances.