GameOver Zeus: Three Things You Should Know

The Zeus banking Trojan is a popular topic in the security world these days. It’s not new, but it still garners attention as one of the most successful and prolific Trojans in use today.

Banking Trojans hide on infected machines and intercept activity related to the user’s finances—bank account logins, investment information, even purchases on sites like eBay. This differs from phishing. With phishing, an end user is infected with a banking Trojan like Zeus, but they are not directed to a fake website and made to believe they are logging in to an official website.

Instead, he or she is interacting with the real banking, investing, or retail website and is completing a legitimate transaction. However, while that activity takes place, keystrokes are being logged. Screenshots may even be taken and transmitted to the attackers C&C server. Usernames, passwords, security questions are all being monitored and recorded and transmitted to the attackers. All of these malicious actions occur silently. Once infected, there will be no sign that an Internet sessions is anything but private.

Since the 2010 leak of the Zeus source code, a host of Zeus variants has been unleashed on an unsuspecting public. Cybercriminals leaped at the opportunity to diversify both the traits and abilities of the Zeus Trojans, building their own variants. Some of those Zeus variants —such as Ice IX and Citadel—have garnered attention for their huge successes.

Perhaps the most successful Zeus variant to date, GameOver Zeus, was responsible for 38% of banking Trojan activity in 2013. In this post, we’ll explore three things that you need to know about GameOver Zeus.

#1: The difference between GameOver Zeus and other Zeus variants.

While other prominent Zeus variants – and their associated botnets – rely on centralized command and control infrastructure, GameOver uses a distributed peer-to-peer botnet. This means instructions can come from virtually any other infected machine. That is part of the reason for the success of the Trojan. Nailing down the all-important points of origin for these instructions is incredibly difficult, if not nearly impossible.

#2: GameOver Zeus is the most versatile Zeus Variant.

GameOver Zeus is the most versatile of the Zeus variants and enjoys the advantage of being distributed via email attachments and downloaders, or through URLs in emails that point to online exploit kits. Those same exploit kits are also used in drive-by attacks on the Web, and via malvertising that directs traffic to the sites. Regardless of the online medium, GameOver can utilize an attack vector to gain a foothold in your system.

Once a machine is infected, it can receive instructions to download even more malicious payloads: Other malware that can perform a much wider range of malicious actions. PhioshMe has observed the GameOver botnet distributing malware aimed at generating more malware-laden spam, stealing Bitcoin and other cryptocurrency wallets from an infected machine, as well as downloading CryptoLocker. CryptoLocker is ransomware that encrypts a wide range of files on the infected machine, rendering it unusable until a ransom payment is made. All photos, documents, databases, images, and other important files are locked with powerful, unbreakable encryption.

#3: Recent changes have made it more likely for Zeus to infect a machine on your network.

Last September, PhishMe saw GameOver’s distributors begin using the Upatre malware downloader—a downloader which served largely as a replacement for the more substantial Pony Loader that was largely abandoned following the fall of the Blackhole exploit kit.

Upatre capitalizes on leaving a smaller footprint and utilizes simple, yet effective encryption techniques to hide the GameOver infection process. This more sophisticated and nuanced approach makes less “noise” in infected systems and utilizes “throw-away” distribution resources.  This variation in the way GameOver is distributed makes it much more difficult for the average user to avoid becoming infected with the Zeus Trojan, by reducing the likelihood that he or she will notice anything out the ordinary is happening.

In just the past two months, the developers of GameOver Zeus have implemented additional functionality to make their malware more persistent and harder to detect. This includes the addition of rootkit functionality borrowed from the prominent Necurs rootkit to prevent removal of the malware. Steps are also taken to prevent any potential future botnet sinkhole attempts.

Cybercriminals are, and always have been, persistent, savvy, and dynamic. Their continued development of GameOver serves to underscore all three of those traits. However, this malware clearly shows that they are also successful.

How has GameOver Zeus affected your business? Tell us what else you think business leaders should know about GameOver Zeus in the comments section below.

Cybercrime Lessons from HBO’s True Detective

For those who did not follow HBO’s recent hit drama, True Detective, starring Woody Harrelson (as detective Marty” Hart) and Matthew McConaughey (as detective “Rust” Cohle), it was an intense drama about a seventeen-year struggle to break a serial murder case and bring a sadistic criminal to justice. For those who do know all about True Detective, that is not a surprise.

So, what does a TV murder mystery have to do with fighting cybercrime and can we learn anything from True Detective?  At first, there would appear to be little commonality between murder and cybercrime –doubly so in this case for one world is real while the other is fictional.

However, I hope that by the end of this article you will agree that, while the crimes are indeed worlds apart, the art and the act of solving them are virtually the same, albeit significantly time-shifted.

Marty and Rust were confronted with a dizzying array of information, some of it factual (at least in the series), and some of it based on conjecture. They struggled to connect what seemed important and chased down a multitude of blind alleys in search of what was real versus what was obfuscated and at best confusing.

In the end, Rust and Marty were able to connect the dots and identify the bad guy and they tracked him down and justice was served – albeit almost costing Marty and Rust their lives.

Easy enough you say.  However, between knowing a killer was at large and bringing that killer to justice, was an intensive effort of investigation and analysis, over a seventeen-year period, piecing together many disparate pieces of information to come up with a solution to the mystery.

What many had believed to be several unconnected murders was in fact a collection of ritual murders that were in fact very connected, but in ways that were revealed only after deep and skillful work by Rust and Marty.

Back to the future and cybercrime.

Financial companies, especially banks and big “e-tailers,” are frequent targets of phishing campaigns and these companies spend significant amounts of money having the phishing sites taken down – usually repeatedly.

What the companies don’t know is that many of these attacks are being carried out by the same criminal. In fact, the same criminal is often attacking several brands, but again, the banks are seldom aware that often there is one serial criminal instead of these being a series of unrelated crimes by several criminals.  This is the very same view the police had in True Detective.  They did not see, they could not see, the connections among the various attacks.

When Marty and Rust took the time to do a deep analysis of huge volumes of data, their “mostly paper-based” version of Big Data, they were able to solve the crime – it took 17 years, but they did solve it!

Taking 17 years to solve a cybercrime would not be of much use, so Marty and Rust’s tools would not yield a timely solution today; however, their methods would and do.

To be effective in creating holistic solutions against today’s fast-striking cybercriminals, the good guys, just like Rust and Marty, must be able to connect the dots at very deep levels; but today they must do it very quickly.  This is no small requirement given the fantastic volumes of data, information, and apparent disconnected aspects of the crimes.

Fortunately, it can be done. Using patented deep analytics, cyber analysts are able to show that the same cybercriminal is in fact attacking many brands, often simultaneously, and the analysts can provide deep intelligence about the cybercriminal, often providing his/her e-mail address – and in many cases, being able to show them on their Facebook pages.  Perhaps more valuable from a bank’s perspective is that this deep intelligence can be used to stop or significantly reduce the cyber criminals’ attacks against the bank’s brand.  A major way this is done is by showing the companies how they can make sure their scarce and expensive resources are focused most productively in the battle against the cybercriminals.

In fact, this use of actionable intelligence, used either automatically in companies’ firewalls and network devices, or used to support law enforcement when desired, is the only effective way to make progress against today’s cybercriminal.  We have only to read the headlines every day to know that what may have worked yesterday in preventing cybercrime (it really didn’t work) will not work today against the more sophisticated cybercriminal.

Many “cyber solution” companies claim they provide this “actionable intelligence,” just like many companies claim to be in the “Big Data” business.  The simple test of this claim is for a prospective customer to demand proof.  If the company cannot demonstrate and validate that it can provide real actionable intelligence, then all they have is an ad campaign.  If they do have the actionable intelligence, they will be able to show it clearly and convincingly.

Really “True” Detectives are hard to find.  However, it takes true cyber detectives, using real intelligence and sophisticated methods, to unmask and prevent today’s cybercriminal.

When you need one, be sure to get a True Detective!

Woops! Army’s attempt at a phishing simulation bombs

At PhishMe, we feel like we’ve done a pretty good job of debunking the idea that you can address the spear phishing threat using the pentest model, but after reading this Washington Post story about a phishing test gone awry, it looks like we still have some work to do.

In this test, an Army combat commander sent an email to a “small group” of Army employees disguised as an email from their retirement plan provider urging them to log in to their accounts. The email used the name of Thrift Savings Plan, the actual 401(k) account provider for most federal employees, and provided no indication that it was a simulated phishing exercise, causing a panic across the DoD as concerned recipients shared the email with colleagues and flooded the Thrift Savings Plan customer support line. It took nearly three weeks for the Pentagon to trace the origin of the email.

Will the Target fallout shift focus away from compliance?

While in the check-out line at Target recently, I observed an interesting exchange that shows just how deep the impact from Target’s massive data breach has been. While rummaging for bills in her wallet, the woman in front of me in line asked the cashier whether anyone still used their credit card at Target anymore. The cashier could only shrug, but the fact that two ordinary people were discussing the impact of a data breach was remarkable, and Target’s recent sales numbers show that people aren’t only nervous about using credit cards at Target, they are avoiding the retailer altogether. Only 33 percent of US households shopped at Target in January of 2014, a 22 percent decline from 2013, and Target’s lowest level of shopper penetration in the last three years.

This is bleak news for a company that has already generated an enormous amount of negative publicity that has led to a U.S Senate hearing, a restructuring of Target’s corporate leadership, and even a change in Target’s employee dress code.

Who’s to Blame for the Target Data Breach?

Why are we still discussing the Target data breach that occurred in March 2014? In a world where ‘news’ literally lasts minutes – OK maybe hours or in special cases days – here we are still discussing a data breach that started around November 27 – December 15, 2013! What is so special about the Target data breach that warrants all of this media attention?

Well let’s start by putting the importance of this data breach in context. At the RSA Conference, TripWire did a survey that revealed the Target data breach has had a larger impact than Edward Snowden’s leaks on cybersecurity budgets and executive awareness. That, in and of itself, underscores its significance. In short, it had a major impact on the business. Executives realized that data breaches can be incredibly expensive. There are remediation costs of course, but more importantly, reputational costs. The damage to a company’s reputation dwarfs the monetary costs of remediation. We speak with security professionals every day who dismiss the reputational costs to an organization following a breach. Well, to then we say, why not ask Target about how insignificant their reputation damage has been.

Yesterday, BusinessWeek issued its take on the Target data breach. The article shows just how mainstream cyberattacks have become. In their March 13, 2014 story titled “Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It,” BW does a nice job telling the story, complete with a graphic of a target with data spewing out of it. However, I found something else mentioned in the article that was even more interesting.

Here are a couple excerpts:

“Six months earlier the company began installing a $1.6 million malware detection tool made by the computer security firm FireEye (FEYE), whose customers also include the CIA and the Pentagon.”

“…as they [cybercriminals] uploaded exfiltration malware to move stolen credit card numbers – first to staging points spread around the U.S. to cover their tracks, then into their computers in Russia – FireEye spotted them. Bangalore got an alert and flagged the security team in Minneapolis. And then …Nothing happened. For some reason, Minneapolis didn’t react to the sirens.”

“…But then, Target stood by as 40 million credit card numbers – and 70 million addresses, phone numbers, and other pieces of personal information – gushed out of its mainframes.”


For as long as I have been involved in computing (since 1985), we have had performance monitors that alert IT professionals to issues or situations. In security, we have had IDS/IPS and SIEM tools for more than 10 years. So what is this article saying? That even with the newest and coolest security software solutions from FireEye, we still just send alerts and hope somebody takes action!

OK, maybe someone was supposed to do something and didn’t. The article seems to point to the Bangalore operation of Target for not reacting to the FireEye alerts:

“If Target’s security team had followed up on the earliest FireEye alerts, it could have been right behind the hackers on their escape path.”

BW also says that the Symantec EndPoint protection Target used had detected the malware.


Let’s see, if my fire alarm goes off and I am not home, I wonder who hears it?

Wait, if I do come home – by chance – and my alarm has gone off – my alarm quickly identifies where the smoke is coming from and helps me prioritize what room I need to go to. Wait – that doesn’t happen either.

Oh, and when the alarm goes off, my sprinkler system immediately goes off and the fire department comes. OK, on that last point, the fire department comes because I have an ADT system (not a standalone smoke alarm). And no, I don’t own a sprinkler system.

So, the fact the alarms went off with FireEye and ‘no one noticed’ isn’t so crazy. That happens every day in our own lives.

But let’s be more specific.

Alarms go off with IT products, and specifically security products, every day. All the time. Today’s security professionals need information that is actionable. Security professionals need to have usable threat intelligence information that identifies, prioritizes and then targets in the indicators of compromise and stops or mitigates the attacker’s behavior. That the Target systems sent alarms and no one ‘noticed’ is not so amazing. The BW article should ask why the FireEye system didn’t do something without manual intervention, no? Why isn’t the detection system actually responding, instead of just triggering an alert?

The traditional definition of the steps for security are protect, detect, respond and recover.  Target and its vendors clearly had the detection part down. However, without the other three steps, it did nothing to stop the Target data breach or limit the damage caused. In Target’s case, that is considerable damage to its reputation. For FireEye, potential customers may now be asking themselves, why choose a product that did not prevent the massive Target data breach.

YYBC: Don’t lie to your users about compliance

2014 was PhishMe’s 3rd year at RSA. Our growing team allowed me to steal a few hours away from the Exhibit floor and attend some excellent sessions. While many of the sessions I attended related to PhishMe’s offering I also made it a point to take a break and enjoy some fringe topics. A talk entitled: “The Dark Web and Silk Road” with Thomas Brown, Deputy Chief for Cyber, U.S. Attorney’s Office of Southern New York was a fascinating view into how Bitcoin is used in illicit underground marketplaces. The presentation was well-done and a great play by play about how the man behind Silk Road was unmasked and arrested.

Another presentation that really stood out: “Cognitive Injection: Reprogramming the Situation-Oriented Human OS” with Akamai CSO Andy Ellis.