Nearly three months after the FBI, Europol and Britain's National Crime Agency launched "Operation Tovar" to successfully disrupt the botnet used to spread Gameover Zeus, the malware is making a global comeback.

2014 Fraud Summit Agenda Released - View Session Details >

The first Gameover Zeus resurgence warnings began July 10, when security experts spotted an apparent variant of the malware that was being distributed in a spam e-mail campaign (see Gameover Zeus Trojan Returns). Since then, however, the malware has continued to pick up steam.

Gameover Zeus is a Trojan designed to steal banking and other personal credentials from infected PCs. At the time of the May law enforcement takedown, the FBI estimated that between 500,000 and 1 million PCs worldwide - one-quarter of them in the United States - were infected by the malware, which the bureau says was used to steal more than $100 million.

The resurgence of the malware is a reminder that banks must watch for signs of infection on customers' PCs, as well as use fraud analytics to help spot, and block, any unusual access patterns or transaction behavior.

Brian Foster, CTO of security firm Damballa, notes in a blog post: "Over the last couple of months, Damballa observed new GoZ variants testing the waters. Initially, there was a small set of victims but that has changed in recent weeks. The number of victims is climbing but nowhere near previous levels observed with GoZ."

Denmark-based Heimdal Security likewise reports a rise in infections tied to Gameover Zeus variants. "Whether that's because they're using the old infrastructure or it's just a rise in the new variants, we're not sure," says Morten Kjaersgaard, CEO of the company, which has been tracking the success of the Gameover Zeus takedown operation. But the infection rates are much lower than before the takedown. "We see this as a move by malware manufacturers, or e-crime organizations, so that rather than doing one big piece of malware such as Gameover Zeus, they're doing several small ones to evade detection."

Despite the rise in reported infections, however, "there isn't a 'flood' of new GoZ variants," says Sean Sullivan, security adviser for F-Secure Labs in Helsinki, Finland.

Domain Generation Algorithm

The previous version of Gameover Zeus used peer-to-peer techniques to connect infected PCs with the command-and-control, or C&C, servers from which they received instructions and sent exfiltrated data. For the new variants, however, attackers have dropped P2P in favor of a complex domain-generation algorithm, which the malware uses to reach a constantly changing list of C&C servers. "The malware has been designed to dynamically look up different domain names over time, as a way to evade a lot of the prevention tools that have come to market," Foster says. Such an approach helps it evade blacklists of known-bad names.

"One of the reasons that it might be changing to DGA is because ... once the peer-to-peer infrastructure was infiltrated by authorities ... it was relatively easy to see who was infected," Kjaersgaard says. "So using a DGA is a different mystery to try to unravel; I wouldn't say it is more difficult, but it is difficult."

Malware Targets U.S., Ukraine

Earlier this month, Romania-based anti-virus firm BitDefender reported seeing two new variants of Gameover Zeus. The first, which primarily targets U.S. users, generates 10,000 related domains per day, while the second, which mainly targets users in the Ukraine and Belarus, generates 1,000 domains per day.

But classifying something as a Zeus Gameover variant relies, in part, on semantics. "Depends on how you define it. The outer packaging makes for different samples but the source code that runs is the same variant - we haven't seen many modifications yet," says F-Secure's Sullivan.