GameOver Zeus Is Game That Keeps Giving
The biggest news in the security world in recent days has been the FBI’s takedown of the GameOver Zeus botnet and Cryptolocker ransomware.
GameOver Zeus allowed cyber criminals to conduct more than $100 million in wire fraud in the just more than two-and-a-half years that the botnet was active. The malware affected computers running Microsoft Windows operating systems and captured credit card numbers and login credentials to financial sites, including credit unions, and had features that allowed it to bypass two-factor authentication security controls.
Gameover was the most sophisticated variant of the Zeus Trojan, which is used to steal banking information. GameOver Zeus leveraged a peer-to-peer network to hide the criminals’ backend infrastructure, which allowed attackers to control their botnet and make it difficult for researchers and law enforcement to disrupt it. Whereas other Zeus variants are sold as botnet kits, GameOver Zeus was run by a single group of threat actors that rented it to other cyber criminals.
The GameOver Zeus malware distributors constantly changed its operating methods to spread malware. They primarily distributed it through spam emails that contained malicious links or attachments. However, the attackers also compromised legitimate websites and inserted code that would download and execute GameOver Zeus on users’ computers that were not patched with the latest software updates. Like much of the malware found today, Gameover Zeus was wrapped in a package so that it would bypass antivirus software.
In order to evade anti-virus detection, the attackers would carry out the attack in two steps. First, if a victim whose computer was not patched with the latest software updates clicked on a malicious link or attachment, the computer would become infected with a malware downloader, which to antivirus software appeared to be innocuous.
That’s because before the attackers sent the downloader, they checked to see if the code had been detected yet by antivirus software companies. If it had been detected, then the attackers tweaked the code so that it would still download the malicious software but could sneak by AV. Second, the downloader would install onto the user's computer Gameover Zeus, which was usually disguised in such a way that it, too, bypassed anti-virus software.
GameOver Zeus was also responsible for distributing Cryptolocker ransomware for more than a year. Dell SecureWorks, which worked with the FBI to halt the activity of both threats, estimates that Cryptolocker had taken in at least $10 million since its debut in early 2013. Cryptolocker encrypted specific files on a victim’s system using strong public key cryptography.
The victim would receive a pop-up warning, demanding the victim to pay a ransom in order to recover the files so they would be readable. The attackers accepted funds in various forms, including bitcoin and MoneyPak cards. The latter could be purchased at popular drug stores and grocery stores. If the ransom was not paid, the files were only recoverable if the victim had created offline backups.
Read more: From Russian with love ...
GameOver Zeus hails from the original version of Zeus, whose source code is freely available on cyber underground forums. There are many popular banking Trojans that are based on the Zeus source code, including ICE IX, Citadel, and KINS. There are also copycats of Cryptolocker, such as CryptoWall, which is currently being distributed through the Cutwail spam botnet.
Whether or not Bogachev is captured, GameOver Zeus and Cryptolocker, or a facsimile of them, are likely to return. Here’s how to be prepared for when they do.
Protect Your Network and Your Members
- Keep your antivirus software up to date and ensure that the latest signatures are installed.
- Deploy a defense-in-depth strategy: monitor your endpoints with advanced threat detection, keep your firewall rules up-to-date, and use an IDS/IPS system to detect malicious network traffic.
- Provide security awareness training to your employees and educate them on the dangers posed by the following: attachments and links in emails, instant messages and social networking websites.
- Keep your software and operating system up-to-date. Install patches as soon as they become available to prevent attackers from entering via known vulnerabilities.
- Use a computer that is dedicated solely to conducting online banking and bill pay, and encourage your members to do the same. This way, without having used email or having visited any other websites, it is highly unlikely the computer would become infected.
To catch an intrusion as quickly as possible, monitor your network continuously, 24/7. With cyber thieves, it’s never game over. It’s always game on.
Jeff Multz is director of North America Midmarket Sales at Dell SecureWorks in Atlanta.