Gameover Zeus Variants Targeting Ukraine, US

Gameover Zeus has recently started to use Domain Generation Algorithms as OpenDNS security Labs pointed out here. We have spotted two versions in the wild: one of them generates 1.000 domains per day and the other – 10.000. The generated domains are active for only one day each, so by sinkholing a particular domain, we can observe the botnet’s structure and activity for the corresponding day.

After sinkholing 5 domains for 5 different days for each of the two botnets, we noticed that some things remained constant, which let us draw some interesting conclusions. The botnets corresponding to those two DGAs are very different when it comes to countries of interest. The first version seems to have a bigger infection density in the US, which is not a surprise for anyone as most of the malware families extort money from there. The world-wide distribution of this version (including all the sinkholed domains) is illustrated in the figure below:

Zeus v1 distribution map by unique IPs — Image 1: Distribution Map by Unique IPs for Zeus Gameover with the first version of the DGA

The data confirms the findings of Peter Kruse from CSIS Security. So, 4.936 out of 5.907, which is 83.7%, unique IPs that contacted our sinkhole were received from US. The following table illustrates the top 10 countries being infected:

Table 1: Top 10 Countries Infected by Gameover Zeus Containing the First Version of the DGA
Place	Country	Number of Unique IPs	Distribution
1	United States	4.936	83.7%
2	India	195	3.3%
3	Singapore	76	1.3%
4	Japan	62	1.1%
5	Germany	44	0.7%
6	United Kingdom	42	0.7%
7	Russia	41	0.7%
8	China	28	0.5%
9	Turkey	26	0.4%
10	Mexico	25	0.4%

But, the second version is, without any doubt, targeting Ukraine and Belarus, as might be observed from the following figure:

Zeus v2 distribution map by unique IPs — Image 2: Distribution Map by Unique IPs for Zeus Gameover with the first version of the DGA

Here we have 3.046 out of 4.316, which is 70.7%, unique IPs from Ukraine and Belarus. Its distribution in the top 5 countries is shown below:

Table 2: Top 10 Countries Infected by Gameover Zeus Containing the Second Version of the DGA
Place	Country	Number of Unique IPs	Distribution
1	Ukraine	1.854	43%
2	Belarus	1.192	27.7%
3	Turkey	244	5.7%
4	Azerbaijan	222	5.1%
5	Kazakhstan	118	2.7%
6	Russia	88	2%
7	Kyrgyzstan	83	1.9%
8	Indonesia	60	1.4%
9	Moldova	57	1.3%
10	Germany	55	1.3%

Although there have been multiple domains registered for the botnet targeting US lately, we found none for the botnet targeting Ukraine and Belarus, meaning that no-one is using the bots at this moment. However, the bot-net could find itself with a new master anytime.