Friday, June 6th, 2014
GameOver Zeus – The Online Banking Trojan
The activities of GameOver Zeus, the online banking trojan, have been disrupted
Recently, the FBI made an announcement that the activities of the peer-to-peer (P2P) variant of ZeuS, known as “GameOver” have been disrupted. This well-known online banking Trojan is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects. GameOver ZeuS predominately spreads through spam e-mail or phishing messages. It is believed that GameOver ZeuS has infected more than 15,000 machines in the United Kingdom. The FBI believes that GameOver Zeus has been responsible for $100m (£60m) in losses.
How does it attack?
Typically, a ZeuS malware only connects to a specific command-and-control (C&C) server defined in its configuration file. If the server is already inaccessible, the ZBOT malware will be unable to download the dynamic configuration file that contains the targeted banking URLs.
→ GameOver initially decrypts the static configuration file which contains the hardcoded peers and the RC4 key to decrypt the downloaded configuration file. Usually 20 IP addresses with different port and communication keys are listed in the static configuration file.
→ It queries the hardcoded peers to check which are still alive to connect to the botnet network. Once connected to a peer, it can download updated configuration file, binary, and list of peer IPs.
→ If all 20 peers are dead, GameOver will still try to connect to its C&C server. To find the URL of this server, it uses a domain generation algorithm (DGA) to generate domains which are renewed every start of the week, making it more resilient to takedowns.
Signs your network might be infected:
♦ Your computer system operates very slowly.
♦ Your cursor moves erratically with no input from you.
♦ You notice unauthorized logins to your bank accounts or unauthorized money transfers.
♦ Text-based chat windows appear on your computer’s desktop unexpectedly.
♦ Your computer files lock up and a ransom demand is made to unlock files.
As experts, we advise users to block email attachments containing executable files or ZIP files with executable files like EXE and SCR and to use a vulnerability mitigation software to make up for unpatched software and avoid getting hit by exploit kits.
If you think you might be infected or that your system is not protected, contact a specialised security company to check your network as soon as possible.
Download Free eBook
Learn more about Cyber Security and how to protect your organisation.
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.