Zeus is a malware family that we encounter frequently, due to its popularity with cyber-criminal groups. Ever since the Zeus source code was leaked in 2011, there have been many new variants. One such variant is dubbed ‘GameOver’, which recently made a mark in the media after its infrastructure was seized by authorities.
The Websense® ThreatSeeker® Intelligence Cloud actively monitors this specific type of threat. In this blog, we illustrate some key metrics about Zeus GameOver.
Background & Information
Zeus GameOver was first seen in 2011 and is very similar to the original Zeus malware. Its main use is for Crimeware purposes, such as seeking financial gain by stealing credentials and even transferring funds from victims accounts. We have also seen GameOver subsequently download malware such as Cryptolocker.
There is an important difference between GameOver and other Zeus variants, though. In a typical Zeus (or Zbot) malware, a central Command and Control (C&C) point is used to send out data and receive commands. In GameOver, however, the infrastructure is decentralized and instead relies on peer-to-peer (P2P) technology for its C&C capabilities.
This change in C&C infrastructure has become a big challenge for the security industry, because there is no single point of failure, such as the ability to take down a single command and control node. The Websense® ThreatSeeker® Intelligence Cloud is actively aware of this network and defends against it across the majority of the 7 stages of advanced threats model.
It's very important to note that Zeus GameOver is not directly sent to a potential victim. Instead, a downloader is involved in the initial infection, such as Pony Loader, and more recently, Upatre. Historically, the attack vectors have been mostly emails, usually sent by the Cutwail spam botnet. In the past, a mix of direct attachments, as well as URLs leading to exploit kits, would drop downloaders onto a victim's computer. More recently, with Upatre gaining momentum due to its ability to evade AV detection, the focus has been mostly on attachments, but in the past few weeks we have seen email lures containing URLs using sites such as Dropbox to serve Zip files containing Upatre. What's particularly nasty about Upatre is that it downloads Zeus GameOver in an encrypted form that bypasses most firewall and intrusion prevention system file-type detection. Another artifact that often gets bundled is the Necrus rootkit trojan, which helps to keep the infection persistent.
In the last two months we have seen increasing activity in the GameOver malware downloads via Upatre, with the last week being particularly active. The next table shows the top 10 affected countries we have seen affected by Zeus GameOver. While the United States has been the most targeted country of this campaign, the threat has moved toward a wider global reach recently.
Sign up for Computerworld eNewsletters.