Precautions to be taken to countermeasure GameOver Zeus(GOZ)

Precautions to be taken to countermeasure GameOver Zeus(GOZ)

Postby Prasad » June 26th, 2014, 1:26 pm

GameOver Zeus (GOZ) is a peer-to-peer variant of the well-known bank credential-stealing Trojan Zeus malware, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control.
The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.” :twisted:
Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.

GOZ is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victims computer. To date, GOZ activity has led to the loss of millions of dollars through fraudulent Automated Clearing House (ACH) transactions and wire transfers. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service
(DDoS) attacks.

Below schematic will show how the Fraud works:
How the Fraud Works.JPG
How the Fraud Works.JPG (38.75 KiB) Viewed 9841 times


The Gameover malware majorly performs the following functions:
1) Steals banking, BitCoin exchange credentials, with a diverse set of features to capture information from a victim through keystroke logging, form grabbing, and credential scraping , HTML injection, etc
2) Implements decentralized P2P infrastructure for C2 communication (supports both IPv4 and IPv6)
3) Defends itself by installing kernel mode Rootkit.
4) Launch distributed denial-of-service (DDoS) attacks (with Dirt Jumper DDOS kit)

Due to the malicious payload of the GameOver Zeus trojan the infected systems may participate large scale Spamming and other malicious activities, causing blocking of associated IPs in spam black-lists and downgrading reputation of related ASNs and ISP, finally customer faces problem while browsing websites. :(

In view of this, Tikona (TDN) request users to disinfect their systems and take appropriate countermeasures suggested below to prevent such incidents.

Recommendations and countermeasures:

1) Keep antivirus, operating system, and browser software up to date.
2) Do not follow unsolicited web links or attachments in emails messages. Filter email / scan email file attachment contents and consider blocking executable file types
3) Deploy advanced malware protection devices in-line with incoming email streams containing malicious file attachments as well as subsequent file downloads.
4) Implement end-point controls on users computers to help limit opening of malicious file attachments and to catch malware installation / execution.
5) Apply post-infection controls such as firewall policies, web proxies, file downloads over HTTPS, and associated log monitoring to identify anomalies.
6) Protect yourself against social engineering attacks.
7) Exercise caution while visiting websites.
8) Enable firewall at Desktop and gateway level.

Users are advised to scan their computers and remove the malware if found as possible.
The one-click test http://campaigns.f-secure.com/en_global/zeus/ols/ was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware’s aggressive URL matching algorithm.

Removal Tools:
http://www.f-secure.com/en/web/home_glo ... ne-scanner (Windows Vista,7 and 8)
http://www.f-secure.com/en/web/labs_glo ... l/view/142 (Windows XP)
http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)
http://www.microsoft.com/security/scann ... fault.aspx (Windows 8.1,Windows 8, Windows 7, Windows Vista, and Windows XP)
http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)
http://www.symantec.com/connect/blogs/i ... me-network (Windows XP, Windows Vista and Windows 7)
http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista,Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

Reference from:
>CERT
>Wiki
>www.microsoft.com
Regards,
Prasad Bhatte
Prasad
 
Posts: 28
Joined: November 16th, 2012, 3:57 pm
Location: Mumbai

Return to Security Alert

Who is online

Users browsing this forum: No registered users and 1 guest