Gameover ZeuS

There is evidence he also was using his own botnet kit or at least taking a fee to set up instances of it on behalf of buyers. In late 2009, security researchers had tracked dozens of Zeus control servers

According to U.S.-CERT, GOZ infected machines can participate in attacks, send spam and swipe user data.

The links in the email have been replaced with those of compromised sites that will silently probe the visitor’s browser for outdated plugins that can be leveraged to install malware.

According to a 2012 research paper published by Dell SecureWorks, the Gameover Trojan is principally spread via Cutwail, one of the world’s largest and most notorious spam botnets... These junk emails typically spoof trusted brands... The email lures bearing Gameover often come in the form of an invoice, an order confirmation, or a warning about an unpaid bill.

GOZ typically infects a machine via a phishing attack and other bogus emails.

When building an executable... The subbotnet names were typically used for identifying specific campaigns for spreading. Some where dated, and others were named descriptively after the spam service used or the spam theme such as “irs”.

Some of the most commonly used commands used by attackers are: user_execute <url> ... The user_execute command was used specifically for CryptoLocker installations too

the government believes is responsible for building and distributing the ZeuS banking Trojan . Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts

GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection.

the government believes is responsible for building and distributing the ZeuS banking Trojan . Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts

The principal purpose of GOZ is to capture banking credentials from infected computers. One means by which GOZ accomplishes this is through ... attacks, in which GOZ intercepts sensitive information victims transmit from their computers.

others used it just as a piece of malware to log information that ZeuS collected from victims from either the keystroke logging, or the built-in POST data logging

the Defendants use GOZ to inject additional code into victims' web browsers that changes the appearance of the websites victims are viewing. For example, if a GOZ-infected user were to visit a banking website that typically requests only a username and password, the defendants could seamlessly inject additional form fields into the website displayed in the user's web browser that also request the user's social security number, credit card numbers, and other sensitive information.

In 2007 the first large scale attacks took place, that used the ZeuS bank attack configuration called “webinjects”... While ZeuS is a versatile malware kit... its key strength is in browser manipulation through the use of its dynamic configuration.

Some of the most commonly used commands used by attackers are: ... user_cookies_get ... Most of these commands are used... to... get a session cookie

Some of the most commonly used commands used by attackers are: ... user_certs_get ... Most of these commands are used... to... get... soft certificate files

During our research, we found a large amount of search queries which were executed on the victim systems... focused on locating “government classified” material

During our research, we found a large amount of search queries which were executed on the victim systems. The search queries consisted of a number of keywords... focused on locating “government classified” material

The principal purpose of GOZ is to capture banking credentials from infected computers. One means by which GOZ accomplishes this is through ... attacks, in which GOZ intercepts sensitive information victims transmit from their computers.

others used it just as a piece of malware to log information that ZeuS collected from victims from either the keystroke logging, or the built-in POST data logging

the Defendants use GOZ to inject additional code into victims' web browsers that changes the appearance of the websites victims are viewing. For example, if a GOZ-infected user were to visit a banking website that typically requests only a username and password, the defendants could seamlessly inject additional form fields into the website displayed in the user's web browser that also request the user's social security number, credit card numbers, and other sensitive information.

In 2007 the first large scale attacks took place, that used the ZeuS bank attack configuration called “webinjects”... While ZeuS is a versatile malware kit... its key strength is in browser manipulation through the use of its dynamic configuration.

The token-grabber attack in peer-to-peer ZeuS... The victim would see a normal, or almost normal, login page of their bank... During the victim being on hold, the browser would continuously poll the backend to check if new questions were available to ask the victim.

GameOver Zeus botnet, which allows cybercrooks to steal banking credentials.

Individual infected computers, or "bots," are controlled remotely through a decentralized command and control ("C&C") system in which (a) ordinary infected computers, or "peers," remain in contact with each other; (b) specially selected peers called "proxy nodes" transmit commands and other information from the Defendants to the peers; and (c) a Domain Generation Algorithm ("DGA") is used to generate a large number of Internet domain names with which the infected computers communicate at least once a week.

It uses a tiered, decentralized system of intermediary proxies and strong encryption to hide the location of servers that the botnet masters use to control the crime machine.

Apart from the peer-to-peer network, which was only the first layer, there were additional layers of proxies, which protected the real IP addresses of the backends from becoming known. Even the users of the malware would log in to the individual backends via a proxy

It will be interesting to hear how the authorities and security researchers involved in this effort managed to gain control over the Gameover botnet, which uses an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems.

GOZ includes code that permits the defendants to install additional malicious software onto computers infected with GOZ. The defendants and their co-conspirators have used this capability to install Cryptolocker onto numerous computers within the GOZ botnet.

bot_bc_add vnc <ip> <port> ... Most of these commands are used... to... connect to the victim’s desktop... One specific plugin that was seen, was a VNC component before the plugin VNC was actually built into the malware itself.

a Domain Generation Algorithm ("DGA") is used to generate a large number of Internet domain names with which the infected computers communicate at least once a week.

It uses a tiered, decentralized system of intermediary proxies and strong encryption to hide the location of servers that the botnet masters use to control the crime machine.

The peers are used to propagate binary updates, to distribute configuration files, and to send stolen data to the controllers.

One of the most popular uses of Gameover has been as a platform for seeding infected systems with CryptoLocker, a nasty strain of malware that locks your most precious files with strong encryption until you pay a ransom demand.

Gameover Zeus, which used the collective, global power of the PCs infected with Gameover Zeus to launch crippling distributed denial-of-service (DDoS) attacks against victims and their banks shortly after they were robbed