Earlier this week, the Federal Bureau of Investigation announced that an international effort had disrupted the activities of the peer-to-peer (P2P) variant of ZeuS/ZBOT known as “Gameover.” Trend Micro was one of the parties that was involved in this effort to disrupt the activities of this well-known online banking Trojan.
Gameover is well-known for its resilience to takedowns. This is due to its peer-to-peer connection to its command and control (C&C) server as compared to other ZeuS variants (such as IceIX, Citadel and KINS) that employed centralized C&C servers.
Gameover is based on the source code of ZeuS, which was leaked in May 2011. However, it has significant differences from other malware families (like Citadel and Kins) that are also based from the said leaked source code. Typically, a ZeuS malware only connects to a specific command-and-control (C&C) server defined in its configuration file. If the server is already inaccessible, the ZBOT malware will unable to download the dynamic configuration file that contains the targeted banking URLs.
The first ZBOT variant with P2P capabilities was seen in late September 2011, and was detected as TSPY_ZBOT.SMQH. Users are lured into clicking a malicious link pointing them to a malicious website that served the Blackhole Exploit Kit (BHEK). BHEK was an exploit kit known for using various software vulnerabilities; at the time it was the most common exploit kit in use.
More recently, Gameover variants still propagate via spam mails, but with the help of other malware like UPATRE that download encrypted executable files to bypass firewall filters. Some of these newer variants are detected as TSPY_ZBOT.ABTE. UPATRE malware is one of the malware commonly seen in email attachments which download other malware onto infected systems.
Based on our investigation, Gameover builders are not sold to individuals. Instead, they are privately operated which means only one Gameover botnet is running , compared to the multiple botnets that power other ZeuS variants. Gameover has been using the same RC4 key to decrypt the downloaded configuration file since it was first discovered; this also makes Gameover resistant to takedowns as the entire botnet can quickly share new configuration files and updated versions.
Gameover initially decrypts the static configuration file which contains the hardcoded peers and the RC4 key to decrypt the downloaded configuration file. Usually 20 IP addresses with different port and communication keys are listed in the static configuration file.
It queries the hardcoded peers to check which are still alive to connect to the botnet network. Once connected to a peer, it can download updated configuration file, binary, and list of peer IPs.
If all 20 peers are dead, Gameover will still try to connect to its C&C server. To find the URL of this server, it uses a domain generation algorithm (DGA) to generate domains which are renewed every start of the week, making it more resilient to takedowns.
The disruption of Gameover also damaged another malware threat, CryptoLocker. In October 2013, we spotted a spam campaign that illustrated how ZeuS and CryptoLocker are connected. The spammed message contained a UPATRE variant which download ZeuSs variant, these in turn downloads the CryptoLocker on the system. This serves as the final payload of infection chain.
As we’ve mentioned before, CryptoLocker is a ransomware family known for encrypting certain files and locking the system it infects. Once the system is infected, the user is asked to pay ‘”ransom” to regain access to their files. Some of the payment methods used include:
The latest Gameover update also contains a notorious rootkit family, NECURS. The purpose of installing NECURS is to protect the files, registries and process related to Gameover malware making it more arduous to remove.
Trend Micro protects users from this via its Smart Protection Network that detects the malicious files and spammed messages, and blocks all related URLs.
We have created various Trend Micro tools for GOZ and Cryptolocker Malware, which can be accessed by visiting the above link.