Zeus Gameover Infection Recovery Guide
Date: 2 June 2014
The content of this report is for information purposes only. Links to websites not under the control of the Government of Canada are provided solely for the convenience of users. The Government is not responsible for the accuracy, currency or reliability of the content. Each individual user is to make decisions of use based on respective needs and technical capabilities.
This report is intended for organizations within federal, provincial/territorial and municipal governments; critical infrastructure; and other related industries that may have computer systems affected by Gameover Zeus. Non-technical audiences are invited to visit GetCyberSafe.ca to learn more about Gameover Zeus. For detailed technical information, please see CCIRC’s Information Note IN14-001 Gameover Zeus.
The purpose of this product is to provide guidance on how to recover from computer system infection by Gameover Zeus.
Gameover is one variant of Zeus, an information theft Trojan horse created from the Zeus toolkit. This toolkit is a development tool maintained by its authors, and subsequently sold to attackers. The toolkit allows for the creation of the Zeus Trojan executable and the administration of a Zeus botnet. Zeus has been in circulation for a number of years and is structured around a centralized command and control infrastructure.
While Gameover Zeus shares many characteristics with the original Zeus Trojan, it uses a peer-to-peer structure rather than a command and control infrastructure which makes it much more resilient to disruption efforts. Like the other variants of Zeus, Gameover Zeus is primarily used to steal banking information but can also be used to steal other types of data from both private users and organizations. It targets devices running Microsoft Windows and is mainly distributed by exploit kits, phishing emails, drive-by downloads from compromised websites, and physical media such as USB memory sticks.
Once a system is infected with Gameover Zeus, it also participates in a botnet controlled by the owner, who may rent it to other malicious actors for a fee. Botnets can be used to send spam email messages to spread malware, launch attacks against computers, servers and websites, and commit various types of fraud.
Removing Gameover Zeus Infections
As security vendors improve their detection methods for Gameover Zeus, its creators are continually updating the Trojan with new features to make it harder to find and remove. The longer a victim is infected, the more data the Trojan will be able to steal, thus evading detection is a lucrative goal for attackers. Below is a list of third party tools that can be used to assist in removing Gameover Zeus infections.
The following links to popular tools are for information purposes only and should not be interpreted as an endorsement of any particular tool or technology:
F-Secure Online scanner (Windows Vista, 7 and 8)
- F-Secure Rescue CD (Windows XP systems)
- Heimdal Security
http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1.)
http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)
- Trend Micro
www.trendmicro.com/threatdetector (Windows XP, Vista, Windows, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2).
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
- Date modified: