Comment on GameOver Zeus malware from Webroot
June 2014 by Webroot Software
“The first step of the hack is an HTTPS web server that will then act as the distribution point for the GameOver Zeus Trojan horse (GameOver is best known as a banking Trojan hosted on a website and using an encrypted connection to remain undetected). GameOver carries out many of the standard malicious capabilities of Zeus Trojans, like logging victims’ keystrokes to steal banking credentials. However, on this occasion it has also been packaged with malicious functions that allow it to launch DDoS attacks against financial institutions.
“As a second step the hackers leverage their own malware delivery community and will often use a spam botnet to lure victims through sending them a phishing email that contains a “Upatre” attachment (Upatre is an example Trojan downloader, which when executed downloads more malware surreptitiously from its command and control servers.) Users generally fall victim to a phishing email that lets them download, unzip, and view a supposed PDF. When they do that they have just installed the Upatre Trojan downloader.
“The next steps will involve Upatre bringing down the GameOver Zeus malware with Zeus then bringing down, among potentially other things, the CryptoLocker executable. This circle of infection is today a standard pay per download arrangement used by malware writers, and while the scale of this targeted attack is impressive, it is definitely not an unusual type of attack.”
“The most likely rout to get infected by the GameOver Zeus Trojan is trough opening an email attachment, so users need to remain vigilant. They might be asked to download a PDF or other file through an email that comes from someone they know – users should be suspicious of opening the attachment, especially if it wasn’t expected – even if it’s from a ‘friend’.
“A good precaution against a number of threats is to back-up documents, photos, music etc. to a device that is not directly connected to user’s PC – so in protected on-line storage or on another hard disk that is unplugged. This is because CryptoLocker will try to infect shared storage devices too. Finally, it’s a no-brainer that users should use a reputable up to date anti-virus programme that has a good firewall.
“However, if someone is unlucky enough to be infected, it will be impossible to recover his or hers data without the encryption key. The victim will need to re-image and re-build the PC (for that the Operating System DVD is essential) and after rebuilding the Operating System restore data from the back-up.”