Goodbye Feodo, Hello Geodo!

As a response to a flood of fake e-invoices hitting Germany and Switzerland in January 2014, I’ve introduced Feodo Tracker, aimed to help Internet users protecting themselves from a sophisticated ebanking Trojan called Feodo (also known as Cridex/Bugat). Just a day after I published Feodo Tracker, the daily spam runs of fake invoices hitting German and Swiss internet users suddenly disappeared. Apparently, the distribution of new Feodo binaries stopped completely. After publishing Feodo Tracker, I have not seen any new Feodo infection binaries, neither for Version A nor Version B. In fact I haven’t managed to find any traces of Feodo ever since.

I don’t know what happened, nor do I know whether Feodo Tracker was the reason for the disappearance of Feodo. However, a few weeks ago – more than 3 months after Feodo disappeared – I started seeing a completely new malware popping up that I had never seen before. Investigating the new threat revealed botnet C&C traffic to obviously compromised hosts on port 8080 TCP which immediately reminded me of Feodo (Version A). The new threat is being distributed since late May 2014 through fake e-invoices, using compromised SMTP credentials. Below are a few screenshots of recent spam runs distributing this new threat.

Geodo Telekom Spam

Fake Deutsche Telekom invoices distributing Geodo (click to enlarge)


Geodo O2 Spam
Fake O2 invoices distributing Geodo (click to enlarge)


Geodo Vodafone spam
Fake Vodafone invoices distributing Geodo (click to enlarge)

The botnet infrastructure used by this new threat as well as the way the malware is being distributed raised my suspicion that it might be a successor of Feodo. Talking to other security experts in the community strengthened my suspicions: The new malware is built on completely different code than Feodo, but the crypto code used for the botnet C&C communication seems to be almost the same as that one used by Feodo. In addition, Geodo uses the same botnet C&C infrastructure and distribution mechanism as Feodo. More over, the new malware is aimed to commit ebanking fraud – just like Feodo. Hence I do believe that this new threat can be considered a direct successor of Feodo. Some security experts started to call this new threat Geodo. What is new with Geodo is the fact that it is not only using port 8080 TCP to communicate with the botnet C&C server but also port 7779 TCP.

As a response to this new development, I’ve extended Feodo Tracker’s capabilities so that it now keeps track of Geodo botnet C&C servers as well. Geodo botnet C&C servers detected by Feodo Tracker will be labelled as Version C:

Feodo Tracker tracking Geodo (Version C)

Feodo Tracker tracking Geodo (Version C)

Recent Geodo malware distribution URLs (spammed out though compromised SMTP credentials, all hijacked websites):

hXXp://gulik.biz/zakaz/2014_06_03rechnung_pdf_telekom
hXXp://autumnfeast.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://ptel148.org/tmp/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://webtasarim-tr.com/vlive/emoticons/2014_06_03rechnung_pdf_telekom
hXXp://fresnedaweb.com/plugins/2014_06_03rechnung_pdf_telekom
hXXp://mauriziokoch.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://neurochamps.com/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://fleischundwurstfreunde.de/2014_06_03rechnung_pdf_telekom
hXXp://chuyenthietkeweb.net/test/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://pharmacyforme.org/online_doc_pdf/2014_06_03rechnung_pdf_telekom
hXXp://vkrasnodar.com/tmp/install_4e1da2c196e62/telekomag
hXXp://polikarbonatcati.com/t3-assets/telekomag
hXXp://schoomity.com/ltd/telekomag
hXXp://hospitalreferralservices.com/tmp/telekomag
hXXp://aqua-term.com/tmp/telekomag
hXXp://ilendcomp.com/plugins/ltd/telekomag
hXXp://litelboss.com/ltd/telekomag
hXXp://thonglorcondo.com/wp-content/uploads/t-online
hXXp://seakayak-krabi.com/mail_info/t-online
hXXp://galilao.net/wp-content/uploads/t-online
hXXp://cddmaejai.com/modules/mod_araticlhess/t-online
hXXp://wangmun.go.th/modules/mod_araticlhess/t-online
hXXp://homeeco.pkru.ac.th/wp-content/uploads/t-online
hXXp://crit.occmednop.com/mail_info/t-online
hXXp://human.sru.ac.th/modules/mod_araticlhess/t-online
hXXp://baby.sanita.me/mail_info/t-online
hXXp://edltv.rvc.ac.th/images/t-online
hXXp://grey-ray.com/wp-content/uploads/t-online

Some recent Geodo malware samples (MD5 hash):

89366e485a798763e2b280baa49c0d21
53d327c9b7b977599a3f7da8113aaad4
ee1814e69b8f0197c8ef7cf8f1eab495
76851f69a99e848976f02571df947b12
1bb9db20d591bbdf599060f2b5a9e193
04d43b8735765b51a07fa8b7c3623803
febf73517923c933f9fc08f55235d70a
1a0e69d123d9a8a02caf7990a84b7008
f0459819bb9308ef504caa024be5858d
378a5183a7983bc4576314e28755ee02

Sample Geodo botnet C&C traffic (all HTTP POST to port 8080):

hXXp://94.76.218.166:8080/
hXXp://103.28.148.51:8080/
hXXp://122.155.3.6:8080/
hXXp://204.93.183.196:8080/
hXXp://192.154.110.228:8080/
hXXp://202.143.185.107:8080/

FBI disrupts GameOver ZeuS and CryptoLocker Botnet

The U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) today announced the disruption of the infamous GameOver ZeuS botnet and the CryptoLocker Ransomware.

GameOver ZeuS (GOZ), also known as P2P ZeuS or ZeuSv3, is a sophisticated ebanking Trojan mainly used to commit ebanking fraud and steal credentials from the victims computer. GOZ is a further development of ZeuS / Zbot and has already been around for four years now. GOZ is one of the few botnets that are using P2P techniques for their command & control (C&C) infrastructure. However, this wasn’t always the case. The botnet operators behind GOZ made several updates to the source code over the years of operating the botnet to improve its resilience against takedown attempts.

Below is a chart that illustrates the development of GOZ over time.

Development of GOZ over time

Development of GOZ over time (click to enlarge)

As shown on the timeline above, it all started in September 2010 when a new malware appeared – it was obviously based on the source code of ZeuS, but was using a domain generation algorithm (DGA) to calculate the current botnet C&C domain. AV vendors named this new threat Murofet and LICAT. The Murofet / LICAT botnet was around for nearly a year. Months after Murofet appeared, ZeuS Tracker started to blacklist DGA domains used by Murofet as soon as they had been registered. With this, ZeuS Tracker could provide near-real-time protection to Internet users. In cooperation with the responsible domain name registrar, new Murofet domains could get suspended within hours after they appeared on ZeuS Tracker. In the beginning of September 2011, abuse.ch (again, in cooperation with the responsible domain name registrar) started to sinkhole Murofet domains instead of suspending them. This enabled abuse.ch to collect information about the size and geolocation of the Murofet botnet:

ZeuS v3 Botnet SIze

Murofet / LICAT botnet size as of September 2011 (click to enlarge)

The highest count of infected IPs the sinkhole could record was more than 100k infected IPs within a time period of 24 hours, and most of the infected IPs were located in India (IN), Italy (IT) and the USA.

ZeuS v3 Botnet Geo Location

Geo IP location of Murofet / LICAT infected computers as of September 2011 (click to enlarge)

In mid September 2011, no new Murofet / LICAT domain names was being registered any more. Nearly at the same time, security researchers all over the world saw a specific kind of new malware that showed the same behavior on a compromised computer as ZeuS did. However, instead of just using the HTTP to communicate with the botnet C&C server, weird UDP and TCP connections would be observed on infected computers. Analysis of the new Trojan revealed that it was based on the ZeuS source code as well, but using P2P communication to communicate with other infected drones and receive commands from the botnet operator. However, stolen data was still being dropped to a webserver using HTTP POST. The HTTP POST requests all used the same URL patterns: /gameover.php, /gameover2.php, /gameover3.php. GameOver ZeuS was born.

ZeuS V3 P2P Network

P2P ZeuS C&C communication as of September 2011 (click to enlarge)

Using P2P techniques has a big benefit for botnet operators; it makes their botnet more resilient against takedown attempts. Since the disappearance of Murofet / LICAT and the appearance of P2P ZeuS was nearly at the same time, it is obvious that GameOver ZeuS is a successor of Murofet / LICAT. However, it is unclear whether this development was a reaction of the criminals to the takedown / sinkholing attempts carried out by abuse.ch since July 2011. Later in 2011, GameOver ZeuS abandoned the component that was responsible for the HTTP gameover.php traffic. With this, ZeuS Tracker was no longer able to list the associated GameOver ZeuS activity on ZeuS Tracker because the main operations had been fully migrated into the P2P infrastructure. However, GameOver ZeuS was still using a HTTP component along with a DGA as fallback mechanism, in case the P2P botnet was disrupted. Because of this, sinkholing of at least parts of the botnet was still possible. Below is a chart that illustrates the number of unique IP addresses infected with GameOver ZeuS, reported to the non-profit organisation Shadowserver. Source of the data are not only the sinkholes operated by abuse.ch, but also sinkholes operated by other security researchers around the globe.

goz_sinkstats_201405

# of unique IPs infected with GOZ in May 2014 (click to enlarge)

In the early days, GameOver ZeuS was mainly targeting financial institutions in the US. During their years of operating the botnet they soon enlarged their target list to include financial institutions in the Europe and Asia as well. For example, in 2013 Swiss Internet users were hit by a spam run that was distributing GameOver ZeuS in Switzerland.

The GameoOver ZeuS botnet was developed further several times, mainly aimed to harden the P2P component of GameOver ZeuS. The main reason for this were several takedown attempts carried out by security researchers in the past years. There are some excellent papers around that are describing GameOver ZeuS, and especially their P2P component:

GameOver ZeuS is not the only botnet to take advantage of P2P techniques. ZeroAccess, a clickfraud botnet that was recently taken down by Microsoft and EUROPOL, was using P2P techniques as well. While using P2P techniques is a good choice by the botnet operators to hide their infrastructure and make their botnet more resilient against takedown attempts, the GOZ takedown carried out by the FBI is already the second takedown within this year that is hitting a P2P botnet. This is a good example and an even better statement from Law Enforcement Agencies and security researchers around the globe, which shows that criminals can’t hide themselves, no matter what kind of technology they are using.

Over all I think it is fair to say that GameOver ZeuS was one of the biggest threats for financial institutions and their customers. Some security researchers even views GameOver ZeuS as the “largest bank-theft botnet” ever. Finally, I want to express my congratulation to the FBI and all people involved for their investigations and say thanks for their efforts to make the Internet a safer place.

*** Further reading about GameOver ZeuS ***




economics-recluse
Scene
Urgent!