The United States Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ) have issued an advisory regarding the GameOver Zeus botnet, which can cause infected systems to send spam, participate in DDoS attacks, and allow attackers to harvest users’ credentials for online services, including online banking.
“GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control,” a US-CERT advisory states.
“GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks,” the advisory continued.
The authors behind the GameOver Zeus malware recently shifted tactics to include using encryption to evade detection according to malware researchers who said the new method of obfuscation made the malicious code undetectable by the 50 antivirus products used by VirusTotal because the encrypted file technically is not considered malware because it doesn’t execute.
“All Windows EXE files start with the bytes ‘MZ’. These files start with ‘ZZP’. They aren’t executable, so how could they be malware? Except they are,” wrote Malcovery’s Gary Warner. “In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.”
US-CERT also points out that GOZ is using a P2P network to infect systems, where prior variants of the Zeus malware were dependent upon a centralized command and control (C&C) botnet infrastructure in order to execute commands, which had been routinely tracked and blocked.
“GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection,” the advisory continued. “These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult.”
US-CERT recommends that infected users take the following common sense actions to remediate GOZ infections:
- Use and maintain anti-virus software
- Change your passwords
- Keep your operating system and application software up-to-date
- Use anti-malware tools