Subject: TA14-150A: GameOver Zeus P2P Malware
From: US-CERT 



National Cyber Awareness System:

TA14-150A: GameOver Zeus P2P Malware [ https://www.us-cert.gov/ncas/alert
s/TA14-150A ] 06/02/2014 08:15 AM EDT
Original release date: June 02, 2014

Systems Affected

  * Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  * Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012


Overview

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of b
ank credential-stealing malware identified in September 2011C2AD1, uses
 a decentralized network infrastructure of compromised personal computers
 and web servers to execute command-and-control. The United States Depart
ment of Homeland Security (DHS), in collaboration with the Federal Bureau
 of Investigation (FBI) and the Department of Justice (DOJ), is releasing
 this Technical Alert to provide further information about the GameOver Z
eus botnet.

Description

GOZ, which is often propagated through spam and phishing messages, is pri
marily used by cybercriminals to harvest banking information, such as log
in credentials, from a victim's computer2. Infected systems can a
lso be used to engage in other malicious activities, such as sending spam
 or participating in distributed denial-of-service (DDoS) attacks.C2

Prior variants of the Zeus malware utilized a centralized command and con
trol (C2) botnet infrastructure to execute commands. Centralized   serve
rs are routinely tracked and blocked by the security community1. GOZ, how
ever, utilizes a P2P network of infected hosts to communicate and distrib
ute data, and employs encryption to evade detection. These peers act as a
 massive proxy network that is used to propagate binary updates, distribu
te configuration files, and to send stolen data3. Without a single point
of failure, the resiliency of GOZ's P2P infrastructure makes take
down efforts more difficult1.

Impact

A system infected with GOZ may be employed to send spam, participate in D
DoS attacks, and harvest users' credentials for online services, includin
g banking services.

Solution

Users are recommended to take the following actions to remediate GOZ infe
ctions:


  * "Use and maintain anti-virus software" - Anti-virus software recogniz
es and protects your computer against most known viruses. It is important
 to keep your anti-virus software up-to-date (see Understanding Anti-Viru
s Software [ http://www.us-cert.gov/ncas/tips/ST04-005 ] for more informa
tion).
  * "Change your passwords" - Your original passwords may have been compr
omised during the infection, so you should change them (see Choosing and
Protecting Passwords [ http://www.us-cert.gov/ncas/tips/ST04-002 ] for mo
re information).
  * "Keep your operating system and application software up-to-date" - In
stall software patches so that attackers can't take advantage of known pr
oblems or vulnerabilities. Many operating systems offer automatic updates
. If this option is available, you should enable it (see Understanding Pa
tches [ http://www.us-cert.gov/ncas/tips/ST04-006 ] for more information)
.
  * "Use anti-malware tools" - Using a legitimate program that identifies
 and removes malware can help eliminate an infection. Users can consider
employing a remediation tool (examples below) that will help with the rem
oval of GOZ from your system.

*F-Secure*

C2 http://www.f-secure.com/en/web/home_global/online-scanner (Windows
Vista, 7 and 8)

C2 http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel
/view/142 (Windows XP systems)

C2 *Heimadal*

C2 http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8
and 8.1)C2 C2

C2 *Microsoft *

http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1
, Windows 8, Windows 7, Windows Vista, and Windows XP)

*Sophos *

C2 http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)

C2 *Symantec *

C2 http://www.symantec.com/connect/blogs/international-takedown-wounds
-gameover-zeus-cybercrime-network_ (_Windows XP, Windows Vista and Window
s 7)

C2 *Trend Micro*

C2 http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista
, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and
 Windows Server 2008 R2)

C2 The above are examples only and do not constitute an exhaustive lis
t. The U.S. Government does not endorse or support any particular product
 or vendor.

References

  * Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameov
er Zeus  [ http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf
 ]
  * Malware Targets Bank Accounts  [ http://www.fbi.gov/news/stories/2012
/january/malware_010612/malware_010612 ]
  * The Lifecycle of Peer-to-Peer (Gameover) ZeuS [ http://www.securework
s.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gam
eover_ZeuS/ ]

Revision History

  * Initial Publication
________________________________________________________________________

________________________________________________________________________

This email was sent to certecho@net396.fidonet.org using GovDelivery, on
behalf of: United States Computer Emergency Readiness Team (US-CERT)
 245 Murray Lane SW Bldg 410 Washington, DC 20598 (703) 235-5110
Powered by GovDelivery [ http://www.govdelivery.com/portals/powered-by ]


-+-
 + Origin: FidoNet<>Internet Gateway -Huntsville AL- USA- (1:396/3)

 =-=-=-=-=-=-=-= .END of Forwarded message =-=-=-=-=-=-=-=

--
Guardien Fide   :^)

   Ben  aka cMech  Web: http://cmech.dynip.com
                 Email: fido4cmech(at)lusfiber.net
             Home page: http://users.lusfiber.net/~fido4cmech
           WildCat! Board 24/7  +1-337-984-4794  any BAUD 8,N,1

--- GoldED+/W32-MSVC
 * Origin: FIDONet - The Positronium Repository (1:393/68)