GameOver ZeuS Media Coverage and Update

GameOver ZeuS Media Coverage and Update
by Chad Kahl

Sometimes we feel like the IT world needs to have a standard issue wall plaque, poster, or something with two simple words on it: DON’T PANIC. As stated in the Douglas Adams classic, The Hitchhiker’s Guide to the Galaxy:
In many of the more relaxed civilizations on the Outer Eastern Rim of the Galaxy, the Hitchhiker's Guide has already supplanted the great Encyclopedia Galactica as the standard repository of all knowledge and wisdom, for though it has many omissions and contains much that is apocryphal, or at least wildly inaccurate, it scores over the older, more pedestrian work in two important respects. First, it is slightly cheaper; and secondly it has the words DON'T PANIC inscribed in large friendly letters on its cover.

As this applies to the recent messaging from US-CERT, FS-ISAC, FBI FLASH and other media outlets, the Solutionary Security Engineering Research Team (SERT) thought it beneficial to share some questions and answers generated through our observations concerning the recent news about GameOver ZeuS (GOZ).

Is GOZ new?

No. ZeuS was first detected in 2007 and the GameOver variant, also known as “P2P ZeuS”, was first detected in 2011. However, we are updating our clients to keep them aware of the recent threat and news. SERT continues to evaluate GOZ and other variants, as well as other Internet-based threats, and will advise clients in the event we see the threats evolve.

What does GOZ do?

The ZeuS or ZBOT malware family is typically comprised of three main parts:

  1. Primary Package – Provides Man-In-The-Browser (MITB) functionality
  2. Downloader – Used to download additional pieces of malware, such as CryptoLocker
  3. Rootkit – Hides the Trojan to prevent detection and removal

How is GOZ different than the standard ZeuS malware family?

Short answer: The components utilize Peer-to-Peer (P2P) instead of traditional Command and Control (C&C). Traditional Zeus uses a centralized C&C server to handle the communications between the botnet and controller. By using a P2P component, the botnet communicates configuration information and updates between peers to include a list of botnet peers called a “table of neighbors”. This was done to add resiliency against a potential botnet takedown. GOZ does not have to worry about losing a C&C server, and losing individual members of the GOZ network does not have a large impact on the other nodes.

Does GOZ target banks, credit unions, marketing programs, etc.?

Not directly, but by targeting end users who use popular banking services. This is one of the most common misconceptions about this malware family. ZeuS and its variants are first and foremost designed to harvest login credentials from end users. Through keylogging and form grabbing, attackers can gather login credentials or modify transactions without alerting the client or server to their actions. GOZ targets the users. The user credentials are then used by the malicious attackers in separate attacks.

How is GOZ spread/distributed?

GOZ is distributed primarily via drive-by download or through phishing schemes. Associated phishing schemes can be generic or highly-targeted spear-phishing campaigns.

So, what is the new coverage on this topic about?

First, there may be a significant misunderstanding of what GameOver ZeuS does (see above). Second, recent takedown efforts by the FBI warranted spreading some updated information.

What did the FBI do?

The FBI attempted to disrupt the communications of the GOZ network by redirecting all associated traffic to a “sinkhole”, currently located at 85.159.211.119.

What should I do?

Solutionary SERT recommends that you:

  • Ensure you are running an up-to-date anti-virus/anti-malware engine  on your endpoints. Current signatures detect many Zeus infections.
  • Implement Snort rules with SIDs 2018242, 2018296 and 2018316 for Emerging Threat for GameOver ZeuS detection.
  • Actively monitor egress traffic for internal machines attempting connections to non-standard ports, via TCP or UDP.
  • Actively monitor for communication attempts with the current sinkhole address: 85.159.211.119. Any hosts attempting to communicate with this address are likely infected.

Solutionary clients with Snort devices managed by Solutionary are already covered. SERT continually monitors threats like GOZ and will apply new detection methods in ActiveGuard® as they become available.

Oh No! I’m infected!

If you are infected, consult the first sentence of this blog ‒ DON’T PANIC! Then read my fellow SERT member Bernie Lambrecht’s blog “I’m Infected – Now What?

Read this SERT Awareness Report, “BlackHole Exploit Kit, Banking Trojans and ACH Transfers” for additional information on similar threats targeting financial data.

If you find your organization is infected with GOZ (or any other malware) and needs assistance with forensics and mitigation, contact Solutionary about our Critical Incident Response services.

References:

http://www.us-cert.gov/ncas/alerts/TA14-150A

http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted

http://www.bankinfosecurity.com/interviews/bill-nelson-i-1758

http://abcnews.go.com/Technology/fed-cyber-sleuths-stop-gameover-zeus-cryptolocker-crime/story?id=23964827

http://www.solutionary.com/resource-center/blog/2012/07/rejected-wire-transfer-leads-to-blackhole-exploit-kit/

http://www.solutionary.com/resource-center/blog/2013/10/infected-next-steps/

http://www.solutionary.com/_assets/pdf/sert-awareness-report-blackhole-banking-trojan.pdf

NTT Group 2014 Global Threat Intelligence Report

The NTT Group 2014 Global Threat Intelligence Report is now available for download. Click here for key findings, global statistics, real-world case studies and recommendations to reduce the threat mitigation timeline.

Read more on Solutionary Minds about: