The million dollar question seems to be: Is GameOver Zeus (GoZ) making a comeback? The prolific botnet responsible for a cyber-pandemic was disrupted in June. Since the international take-down effort was announced in June, the security community has held its breath.
Botnet takedowns do not typically result in a safer Internet. At Damballa, we have technology that can help make takedowns more effective and, in turn, better protect end users. But there are still many open questions that must be addressed.
The only way botnet takedowns will have a lasting impact on end user safety is if security researchers use a comprehensive and systematic process that renders the botnet inoperable.
Latest PushDo variant adds another evasion dimension with domain generation algorithms (DGA) as fallback to normal C&C
If you step back and examine the domain names that are observed in almost any network, you could roughly categorize them in three main pseudo-classes: dead, alive, and about to be born. In loose technical terms, dead are those domain names that are parked or simply get pointed to a sinkhole.
Typically, when security companies or threat research labs announce the discovery of a new threat, the discovery entails the capture of never-seen-before-malware and the subsequent reverse-engineering of the malware and/or running it in a sandbox/VM to observe its host infection and network communication behavior.
...not only were we able to identify the malware family, but we were flooded with tens-of-thousands of inbound C&C connections! If our statistical analysis was anywhere near correct, then this particular botnet is probably in the hundreds-of-thousands of victims worldwide..
Malware that uses domain generation algorithms (DGA) to locate their command and control infrastructure and upload their stolen data are designed to evade all those conventional prevention technologies.
Take for instance the idea of automatically processing malware within a virtualized host, capturing the network traffic that's generated, automatically generating an IDS signature for the malicious traffic, and then deploying the signature to a network protection platform. It sounds so enticingly simple - almost elegant. So why isn't everyone doing this? Why aren't we protected from malware?
Instead of relying upon a static list of preconfigured domain names that corresponded to the location of the badguys C&C servers, it used an algorithm to calculate candidate domain names – and then tried reaching out to a handful of the candidates in a vein attempt to locate an active C&C server.