Page 33 - index
P. 33
Is it gameover for Zeus?
By Fred Touchette, AppRiver
The Zeus family of malware has been around for quite some time now, since 2007 to be
exact. The ever-changing strain has been focused on stealing bank account credentials from
those who have been unlucky enough to fall victim to its bait.
In the very beginning, Zeus was sold as a malware kit on underground forums for several
thousands of dollars with various plugins offered as add-ons for a la carte pricing. This went
on for years as Zeus dominated the malware scene. But eventually, varying forms of Zeus’
code began to appear online for free and it wasn’t long before amateur cybercriminals
compiled their own versions of the ubiquitous strain.
Frustrated with the freely-available rogue versions of his software, Zeus creator, SpyEye,
threw in the towel and stopped supporting his creation altogether. But that didn’t prevent
Zeus-like malware from spreading and infecting thousands of users. Now in the hands of
cybercriminal groups, the malware leaked around the globe by way of botnet (many, many
botnets). It was only a short time after that a new variant called ‘Gameover Zeus’ or ‘GOZ’
hit the interwebs.
Gameover Zeus was operated by a single group located in Russia and Ukraine. The
malware had new capabilities and operated using a peer-to-peer communication architecture
that made it difficult for White Hats to pin down. An infected bot, for example, simply relied
on another infected bot for instructions. And since bots were not communicating with a main
command and control server, it became increasingly difficult to track and conquer.
Gameover Zeus was ultimately responsible for the download and installation of malicious
payloads that include the now infamous piece of ransomware known as CryptoLocker as
well as other downloaders such as PonyLoader, Jolly Roger, BeeBone and Pushdo known
for adding bots to the Cutwail botnet.
Operation Tovar
The group responsible for Gameover Zeus enjoyed Internet freedom for quite some time.
But in June 2014, several foreign countries banded together with the U.S. Department of
Justice, the FBI, the U.K. National Crime Agency and Europol who then also teamed up with
security and academic researchers to fight the malware. By working together, these groups
were able to take down a highly-aggressive botnet, which allowed Internet users to enjoy a
collective sigh of relief - even if the relief was short lived.
1-Up
In July 2014, we started to see a new form of life stirring from what we thought was a
departed botnet. Fake e-statements hit email inboxes that claimed to be from a company
called ‘Cards OnLine,’ and in typical fashion these emails had an attachment that looked like
33 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
