Gameover Zeus

Number: IN14-001
Date: 2 June 2014

Audience

The purpose of this document is to provide information related to the Gameover variant of the Zeus Trojan. This document also provides mitigation advice which may help to reduce the risk associated with this threat.

Introduction

Gameover is considered a serious risk because of the nature of the information it targets: mainly financial and login credentials used to gain unauthorized access to computers, networks and their data. Gameover infects new hosts through drive-by downloading and spam email campaigns. Gameover has also been used by attackers to deliver other malware to victims. Gameover is a sophisticated Trojan because it is constantly being updated to evade detection by anti-virus systems longer, and thus steal more data.

Description

Zeus
Zeus is an information stealing Trojan from a family of crimeware whose main focus is stealing data from victims, particularly financial information. Zeus has been in circulation for several years and is structured around a centralized command and control (C2) infrastructure.

Gameover
Gameover, also known as Peer-2-Peer (P2P) Zeus, is a variant of the Zeus Trojan.  In May 2011, the source code for Zeus was made public on the internet and was subsequently used to create alternative versions of Zeus, such as Gameover. Like the other variants of Zeus, Gameover steals usernames and passwords, mainly targeting banking credentials. Gameover is especially resilient because, unlike traditional Zeus, it uses a peer-to-peer structure.

Figure 1
Image Description

This graphic illustrates the difference between a command and control botnet and a peer-to-peer botnet. The command and control botnet is controlled by one entity as where the peer-to-peer botnet shows that it can be controlled by multiple entities.

Resiliency

Gameover is built on a P2P botnet infrastructure in which compromised devices (or bots) communicate with one another, rather than communicating with a central server. The botnet’s controller can manage the botnet from any number of compromised devices rather than a centralized location. Nodes in the botnet are also capable of downloading commands, configuration files and executables from other nodes in the network.  As a result, these P2P botnets are more resilient against disruption actions, such as takedowns and sinkholing.

Figure 1
Image Description

This graphic illustrates the steps that the Gameover Zeus malware takes to infect its victims.

  1. Attackers compromise HTTPS web servers and plant Gameover Zeus malware.
  2. Attackers use Cutwail spam botnet to lure victims.
  3. Spam email arrives with Upatre malware attachment.
  4. User executes Upatre malware downloader.
  5. Malware payload retrieved from compromised HTTPS server and executed.  Infected machine becomes part of the Gameover Zeus peer-to-peer botnet.

To add more resiliency, in the event that the compromised devices cannot be reached, Gameover will use domains registered to the attackers that were generated using a Domain Generation Algorithm (DGA). A DGA uses an algorithm to generate a 1000 pseudorandom domains per week that are randomly appended with one of the six top-level domains (TLD) including, .com, .net, .org, .biz, .info, and .ru. These domains can be registered to the attacker to evade detection or make it more difficult for security researchers or law enforcement from taking it over. Once a host is infected, Gameover will send commands using a public and private key exchange to communicate the stolen data back to the attackers, making it difficult for anyone else to take over the botnet if they do not possess the private key.

When Gameover successfully infects a computer it steals online banking credentials, credit card account numbers and other sensitive information. It will also try to communicate to an active node in the P2P botnet to perform an update and version check on the malware. Gameover uses RC4 encryption to communicate with remote nodes and servers in the botnet. As security vendors become better at detecting Gameover, the criminals behind Gameover continue to change their tactics to avoid detection. Recent versions of the Upatre downloader will download Gameover as an encrypted .ENC file; a file format that is not detected as an executable by most network perimeter security appliances. This file is then decrypted using the version of Upatre attached to the phishing email and then executed on the victim's machine.

Additional Features

DDOS
Attackers that use Gameover to steal information have also used DDoS attacks in conjunction with information stealing as a distraction or “smoke screen” to hide the true nature of the attack. In these cases, DDoS attacks have been launched shortly after the credentials have been stolen to hide the fact that they have been stolen, or to slow down detection while the attack is still underway. DDoS attacks have also been used to prevent victims from being able to access their online accounts or have their employees browse the internet.  To launch these attacks, commercial crimeware kits such as DirtJumper or Russkill have been used.

Rootkits
Another new Gameover variant includes code from the Necurs rootkit. The Necurs rootkit increases the difficulty in detecting the malware, as well as successfully removing it. This allows hosts to be infected for longer periods of time, thus losing a larger amount of data to the attackers.

Infection Methods

Gameover targets victims through mass email phishing campaigns typically impersonating online retailers, cellular phone companies, social networking sites and financial institutions, alleging there is a problem with their account. CCIRC has also observed email campaigns with attachments containing the Zeus variant disguised as airline itineraries and delivery notifications from the post office. The actor behind the campaign employs large spam email botnets to distribute the impersonating emails, usually asking the recipient to click a link or open an attachment related to an email theme (alleged account issue of varies brands, alleged itinerary for travel, alleged receipt for package delivery etc.).

Attackers have been known to inject content into browsing sessions typically owned by job seekers and recruiters to gain additional log-in credentials. Gameover has been observed targeting  popular job recruiting websites. Targeting these accounts give attackers the potential to access credentials of individuals who may manage large sized financial accounts.

Exploit kits such as Blackhole have been used as the initial infection vector by exploiting vulnerabilities in web browsers and theirs plugins, such as Adobe Reader, Adobe Flash and Oracle's Java, to deliver a downloader Trojan such as Pony or Upatre. The downloader will then download and install Gameover onto the victim's machine. The benefit of using the downloader Trojan as the delivery vehicle is that it's very small in size and simplicity, thus making them harder to detect and less suspicious.  In addition, some downloaders have special features, such as using an encrypted SSL connection to download and execute a file from a hard-coded URL, as in the case of Upatre.  

Pony downloader is a freely available kit that will retrieve the Gameover malware from compromised websites, typically hard-coded in the Trojan. Pony will also steal the victim's credentials for various programs installed and then send the information back to a Pony command and control server using encrypted communications.  Botnet operators can then access the stolen credentials through a web portal provided by Pony.

Suggested Actions

CCIRC recommends that organizations review the following actions and consider their implementation in the context of their network environment.

References

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: