Websense Security Labs Blog: Zeus GameOver
Zeus GameOver
Zeus is a malware family that we encounter frequently, due to its popularity with cyber-criminal groups. Ever since the Zeus source code was leaked in 2011, there have been many new variants. One such variant is dubbed ‘GameOver’, which recently made a mark in the media after its infrastructure was seized by authorities.
The Websense ThreatSeeker Intelligence Cloud actively monitors this specific type of threat. In this blog, we illustrate some key metrics about Zeus GameOver.
Contributors: Nick Griffin, Elad Sharf, Ran Mosessco
Background & Information
Zeus GameOver was first seen in 2011 and is very similar to the original Zeus malware. Its main use is for Crimeware purposes, such as seeking financial gain by stealing credentials and even transferring funds from victims accounts. We have also seen GameOver subsequently download malware such as Cryptolocker.
There is an important difference between GameOver and other Zeus variants, though. In a typical Zeus (or Zbot) malware, a central Command and Control (C&C) point is used to send out data and receive commands. In GameOver, however, the infrastructure is decentralized and instead relies on peer-to-peer (P2P) technology for its C&C capabilities.
This change in C&C infrastructure has become a big challenge for the security industry, because there is no single point of failure, such as the ability to take down a single command and control node. The Websense® ThreatSeeker® Intelligence Cloud is actively aware of this network and defends against it across the majority of the 7 stages of advanced threats model.
It’s very important to note that Zeus GameOver is not directly sent to a potential victim. Instead, a downloader is involved in the initial infection, such as Pony Loader, and more recently, Upatre. Historically, the attack vectors have been mostly emails, usually sent by the Cutwail spam botnet. In the past, a mix of direct attachments, as well as URLs leading to exploit kits, would drop downloaders onto a victim’s computer. More recently, with Upatre gaining momentum due to its ability to evade AV detection, the focus has been mostly on attachments, but in the past few weeks we have seen email lures containing URLs using sites such as Dropbox to serve Zip files containing Upatre. What’s particularly nasty about Upatre is that it downloads Zeus GameOver in an encrypted form that bypasses most firewall and intrusion prevention system file-type detection. Another artifact that often gets bundled is the Necrus rootkit trojan, which helps to keep the infection persistent.
Campaign
In the last two months we have seen increasing activity in the GameOver malware downloads via Upatre, with the last week being particularly active. The next table shows the top 10 affected countries we have seen affected by Zeus GameOver. While the United States has been the most targeted country of this campaign, the threat has moved toward a wider global reach recently.
| United States | 97.587% | |
| United Kingdom | 13.505% | |
| Italy | 9.960% | |
| Malaysia | 6.086% | |
| Canada | 5.173% | |
| Mexico | 3.054% | |
| Jordan | 2.619% | |
| Turkey | 2.615% | |
| Costa Rica | 2.168% | |
| New Caledonia | 2.137% |
The next heatmap video shows how dominant the GameOver variant has been in April and May of this year.
Interestingly (and you might say very much expected), the main target of Zeus GameOver campaigns has been the financial industry, with a trend towards targeting victims at companies in the pension management sector of the financial industry.
| Retirement & Pension Management | 72.072% | |
| Education | 55.193% | |
| Services | 15.072% | |
| Manufacturing | 13.431% | |
| Finance, Insurance & Real Estate | 11.803% |
Case Study
Here’s a recent example of an email attack stopped by Websense Cloud Email Security (CES). The attack tried to entice victims to open a ZIP attachment containing the Upatre downloader on their computer, which would later infect the users with Zeus GameOver.
Websense ThreatScope behavioral analysis recognizes Upatre as malicious:
https://report-j.threatscope.websense.net/report/U2FsdGVkX1-HjWplRGjt2_HeO2riPBHhOZNDAGvzkg-3hJ9liD0M_BAN6eswI6CB25KuSfEd3THmIyPfpNMnXBcj5sGUHk48d7NiTSuoTwM
The target URL containing the encrypted binary is categorized as MWS, therefore stopping the infection before Zeus GameOver even gets to the victim’s computer:
hxxp://footballmerch.com/media/css/Targ-2105USmw.tar
Websense customers are protected with ACE, our Advanced Classification Engine, at the stages detailed below:
- Stage 2 (Lure) – ACE has proactive detection for the email lures.
- Stage 4 (Exploit Kit) – ACE has detection for the malicious code that attempts to execute this cyber-attack. This stage may or may not exist, lately exploit kits have fallen out of favor with the criminals behind Zeus GameOver.
- Stage 5 (Dropper Files) – ACE has detection for the binary files associated with this attack. Additionally, ThreatScope behavioral analysis classifies the binary’s behavior as malicious or suspicious.
- Stage 6 (Call Home) – Communication to the associated C&C server is prevented.
Summary
GameOver has been around for several years, and since its inception has been a challenge for the security industry to defend against, because different variants have appeared, and also because its source code was leaked. Websense researchers recommend utilizing a strong email security product, which will proactively block campaigns and prevent infection from GameOver from ever happening. The Websense® ThreatSeeker® Intelligence Cloud has seen a notable increase in its activity over the last two months leading up to the takedown of GameOver, and continue to monitor closely.
Canned comment from Carl Leonard:
“Now is the time to act. There’s a short window that has been afforded by the takeover of the Gameover Zeus infrastructure. For individuals, now is the time to run threat detection technologies and for businesses to check their threat dashboards for indicators of compromise. As we have been tracking this with our real-time systems we have found that the malware authors are dynamic in their use of Zeus and are always looking for new opportunities to build up their malicious bots.
If your company is infected, you need to do your best to remediate before the bad guys do their best to regain control of their botnet. What is possibly a minor hurdle for the malware authors could be valuable time for those impacted to take action. But this won’t be the last variant we see, and prevention is always better than cure. Infected companies should take the opportunity to ensure that they have the right solution that stops the infection before it ever has a chance to escalate.”
