Zeus is a family of malware first discovered in 2005. In addition to the original Zeus financial account-stealing component, GameOver Zeus is an advanced variant with a ransomware component. Both components increase the likelihood of a payout for an attacker. Not only is GameOver Zeus malware that steals banking credentials using keylogger functionality and web injection scripts, but infected computers also become part of a botnet used to communicate with other infected computers using peer-to-peer (P2P) protocols.
History of GameOver Zeus
In 2010, Slavic announced that he would no longer support Zeus, handing off the codebase to others who quickly created variants. The group, known to researchers as “JabberZeus,” created variants called Murofet/Licat Zeus. This group made the Zeus code public, which led to even more variants being released in the wild.
The Murofet/Licat variant included the base for GameOver Zeus, peer-to-peer communication, and the CryptoLocker ransomware functionality to the source code. Attackers switched from stealing bank credentials to using ransomware to extort money from victims.
In 2014, researchers performed an effective takeover of the GameOver Zeus infrastructure by seizing domains Zeus used to communicate and distribute the malware within its network. Another variant was quickly released, named “newGOZ,” but it was not active for long and may have been a distraction for researchers while malware authors released code to the public.
How GameOver Zeus Works
Because Zeus is a large-scale family of malware, every variant differs in its mode of attack and payload, but GameOver Zeus is one variant built explicitly for its ransomware. After a targeted device is infected with GameOver Zeus, it looks for opportunities to download and install additional malware, usually the CryptoLocker ransomware.
GameOver Zeus spreads using malicious email messages. The messages might have a malicious attachment or a link to an attacker-controlled server. Users are coerced into downloading the malware, which adds the infected computer to the botnet. Each computer in the botnet connects to the Zeus network command-and-control center, where attackers give infected machines “orders” and update malware.
After a targeted user installs GameOver Zeus, it waits for the user to access their bank account in their browser. The malware injects scripts and elements to trick users into divulging their banking information like security questions, so attackers can access the victim’s bank account to make fraudulent transactions. GameOver Zeus also steals session IDs, which servers use to identify a user connected to a web application.
The main goal for GameOver Zeus is to extract money from victims using a large botnet that works together to steal bank information or automatically transfer funds from the victim’s online bank account to the attacker’s bank account. As malware, Zeus’s differentiator is the human factor. Money mules extract money from bank accounts local to victims and send these funds to attackers’ offshore bank accounts.
GameOver Zeus runs in the background of a Windows computer, continuously checking it for personal or corporate information, including information stored in browsers or protected storage. The peer-to-peer communication is encrypted to avoid detection of server communication with command-and-control and the botnet. Any information Zeus finds is sent to another peer within the botnet.
Botnet activities are mainly for communication between infected machines, so attackers can rent the Zeus network to perform their own infection. Slavic has sole access to the backend Zeus network using private keys to connect to peers and update them with the latest version of Zeus.
CryptoLocker ransomware is a safeguard should the malware fail to steal banking credentials. The ransomware component in GameOver Zeus generally functions like most ransomware. It encrypts files with RSA-2048, which is a cryptographically-secure cipher. Files cannot be decrypted without the private key, provided only when the victim pays the ransom.
Other sensitive data Zeus steals:
- Data is intercepted when sent in HTTP forms.
- Any data in Windows Protected Storage is stolen and sent to attackers.
- Client certificates and keys used in critical public infrastructure.
- FTP and POP (email) account credentials.
- Cookies for HTTP and Flash applications.
Losses Through GameOver Zeus
Because Zeus and GameOver Zeus have been around for over a decade, the damage to businesses and consumers is in the millions. The highest peak of activity for Zeus was between 2011 and 2014. GameOver Zeus was developed as a later variant and did most of its damage in 2014. Still, it’s sophisticated malware that enterprise organizations should actively prevent.
According to the FBI, GameOver Zeus has infected over 250,000 computers and has been responsible for over $100 million in monetary losses. Zeus’s CryptoLocker ransomware component is responsible for an estimated $27 million in ransom payments by consumers and businesses. University of Kent research estimates that 40% of CryptoLocker victims paid the ransom.
The FBI issued an indictment for Slavic and any conspirators involved with the fraud ring and offered millions for information related to the Zeus network. Still, variants continue to plague businesses and consumers. The botnet component of Zeus affects consumers and businesses alike, and it’s difficult to detect Zeus on an affected machine.
Several individuals in the United States, United Kingdom, and Ukraine are the subject of search warrants and have been charged with fraud. It’s estimated that 390 FBI cases involve Zeus malware. Over $220 million in attempted losses have been recorded, with $100 million in actual losses.
Prevention of GameOver Zeus
Because GameOver Zeus starts with a phishing email, the first defense against Zeus and other malware is a good email security solution. Second is education. Training employees through a security awareness training program is vital. Users able to detect suspicious emails is proven to reduce the risk of your business being victim to ransomware. Additional measures like email filters and administrator alerts should be taken to prevent messages from passing to the user’s inbox.
Most phishing emails related to GameOver Zeus involve asking the user to click a malicious link in the message. Enterprise content filters help stop access to malicious websites behind the links, but users should also be encouraged to report suspicious emails. Antivirus stops some malware installers, but it should not be the only defense against drive-by downloads.
Enterprise-level antivirus and anti-malware applications help stop malware from embedding itself into the Windows operating system. All applications, including browsers and the Windows operating system, should have the latest security patches installed. Outdated software with known vulnerabilities is a common reason for malware infections.
GameOver Zeus steals passwords and sensitive data related to bank accounts, so changing your passwords regularly reduces an attacker’s ability to access online bank accounts. If your bank account dashboard offers ways to disable or de-authenticate sessions, log out all sessions accessing the bank account. Most reputable banks have anti-fraud detection for online accounts, but you should not rely solely on anti-fraud systems to stop remote access to your bank accounts.
Is GameOver Zeus Gone?
It might not be as popular as in previous years, but GameOver Zeus is still a threat to consumers and businesses. Since its initial release in 2005, Zeus has had several variants deployed by various attackers. GameOver Zeus is just one variant, but others include Panda Banker, Terdot, Floki, Sphinx, and Citadel.
It was rumored that Slavic intended to sell his code to a competitor named SpyEye, which sold Zeus removal software used to infect machines with other malware. Reports said that Slavic retired and handed over his code, but researchers found evidence that Slavic still builds more robust Zeus code to continue banking theft. Instead of selling his code, Slavic rents out or sells Zeus access privately.
The code for Zeus is available on darknet markets and hacking circles, providing a solid foundation for malware authors. Its peer-to-peer activity makes it perfect for sophisticated fraud groups willing to set up infrastructure to build their own version of Zeus. Zeus was originally a banking trojan, but ransomware has proven to be more successful for attackers. Most Zeus attackers work with GameOver Zeus to combine trojan activity with ransomware to increase the success of a payout.
Organizations that leverage proxies and firewall policies can stop Zeus communications. Unfortunately, blocking Zeus communication might also stop legitimate traffic over your network, potentially interfering with employee productivity. During its peak, Zeus had 1.2 million computers under attacker control, so blocking IP ranges might be necessary to stop communication across peers within a network in an emergency situation. However, it might not be possible without causing downtime.
Anti-malware that specifically stops ransomware and sophisticated malware such as Zeus is necessary, especially in a corporate environment. Antivirus vendors often block entire domains and applications but don’t have the anti-malware capabilities of more sophisticated anti-malware security.
New GameOver Zeus versions have a rootkit named Necurs, making it more challenging to remove Zeus fully. Zeus will make aggressive efforts to continue communicating and infecting more computers. Because Zeus is an aggressive malware application, it’s essential to have an aggressive anti-malware defense.
Organizations need more advanced detection, containment, and incident response to protect from Zeus and other aggressive and sophisticated malware. Combining the right strategies to build secure infrastructure and install antivirus software and anti-malware helps reduce the risk of a Zeus infection.
How Proofpoint Can Help
Proofpoint understands the cybersecurity landscape and the dangers of allowing malware like GameOver Zeus to infect a computer. A Zeus infection is more than just remediation on one workstation. Zeus will quickly spread across your entire environment and must be contained immediately.
Proofpoint can help stop malware and protect your email system from being the start of the attack. We offer proactive solutions that prevent malicious email messages, block harmful malware from infecting your environment, and eradicate and remediate the most dangerous threats in the wild.