Our back end automation began logging "Gameover" related IP addresses back in May. Gameover is the Peer-to-Peer variant of the ZeuS banking trojan. Last week, we took 3,300+ of the IPs and performed a GeoIP lookup on them.
From the Gameover configuration file that our analysts recently obtained, we can see that there is an active Italian campaign underway at this time. The at sign (@) indicates bank sessions that Gameover should focus on, screen-capture on click.
Also of notable interest are the Arabic banks listed within the configuration file.
For the CCNA's among you: Gameover communicates with its peers via UDP on randomly assigned (at installation) ports between 10,000 and 30,000. Such communication happens routinely every several seconds or so and are small, between 40 to 350 bytes. Larger communications happen via TCP. Monitoring for an extended length of time will probably reveal repeated IP addresses.
Our earlier speculation that Gameover's sophistication is evidence of the original ZeuS author's involvement is supported by Krebs on Security posts such as this one which suggests Slavik's continued activity after his supposed "retirement".