CERT mailing list archives

Previous By Date Next
Previous By Thread Next

TA14-150A: GameOver Zeus P2P Malware

From: "US-CERT" <US-CERT () ncas us-cert gov>
Date: Mon, 02 Jun 2014 06:10:19 -0500
NCCIC / US-CERT

National Cyber Awareness System:

TA14-150A: GameOver Zeus P2P Malware [ https://www.us-cert.gov/ncas/alerts/TA14-150A ] 06/02/2014 08:15 AM EDT 
Original release date: June 02, 2014

Systems Affected

  * Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8 
  * Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012 

Overview

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in 
September 2011­1, uses a decentralized network infrastructure of compromised personal computers and web servers to 
execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal 
Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further 
information about the GameOver Zeus botnet.

Description

GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest 
banking information, such as login credentials, from a victim’s computer2. Infected systems can also be used to engage 
in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. 

Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute 
commands. Centralized C2 servers are routinely tracked and blocked by the security community1. GOZ, however, utilizes a 
P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These 
peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to 
send stolen data3. Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts 
more difficult1.

Impact

A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users' credentials 
for online services, including banking services.

Solution

Users are recommended to take the following actions to remediate GOZ infections:


  * "Use and maintain anti-virus software" - Anti-virus software recognizes and protects your computer against most 
known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software [ 
http://www.us-cert.gov/ncas/tips/ST04-005 ] for more information). 
  * "Change your passwords" - Your original passwords may have been compromised during the infection, so you should 
change them (see Choosing and Protecting Passwords [ http://www.us-cert.gov/ncas/tips/ST04-002 ] for more information). 
  * "Keep your operating system and application software up-to-date" - Install software patches so that attackers can't 
take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is 
available, you should enable it (see Understanding Patches [ http://www.us-cert.gov/ncas/tips/ST04-006 ] for more 
information). 
  * "Use anti-malware tools" - Using a legitimate program that identifies and removes malware can help eliminate an 
infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from 
your system. 

*F-Secure*

 http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)

 http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP systems)

 *Heimadal*

 http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)  

 *Microsoft *

http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and 
Windows XP)

*Sophos *

 http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)

 *Symantec *

 http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network_ (_Windows XP, 
Windows Vista and Windows 7)

 *Trend Micro*

 http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, 
Windows Server 2008, and Windows Server 2008 R2)

 The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support 
any particular product or vendor.

References

  * Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus  [ 
http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf ] 
  * Malware Targets Bank Accounts  [ http://www.fbi.gov/news/stories/2012/january/malware_010612/malware_010612 ] 
  * The Lifecycle of Peer-to-Peer (Gameover) ZeuS [ 
http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/ ] 

Revision History

  * Initial Publication 
________________________________________________________________________

This product is provided subject to this Notification [ http://www.us-cert.gov/privacy/notification ] and this Privacy 
& Use [ http://www.us-cert.gov/privacy/ ] policy.

________________________________________________________________________

OTHER RESOURCES: Contact Us [ http://www.us-cert.gov/contact-us/ ] | Security Publications [ 
http://www.us-cert.gov/security-publications ] | Alerts and Tips [ http://www.us-cert.gov/ncas ] | Related Resources [ 
http://www.us-cert.gov/related-resources ] 

STAY CONNECTED: Sign up for email updates [ http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new ]
Previous By Date Next
Previous By Thread Next

Current thread: