The FBI, the UK's National Crime Agency, and a number of international law enforcement agencies have significantly disrupted two of the world’s most dangerous financial fraud operations: the Gameover Zeus botnet and the Cryptolocker ransomware network. Working with a number of private sector partners, including Symantec, the FBI has seized a large amount of infrastructure used by both threats. On the back of this operation, Symantec has released a new tool that victims can use to completely remove Gameover Zeus infections.
Gameover Zeus is responsible for millions of infections worldwide since its inception in September 2011. Attackers use it to intercept transactions during online banking sessions, defrauding customers of hundreds of financial institutions globally. In a recent update, a low level driver component was introduced to thwart removal of the Trojan. Symantec is providing a new tool to remove it, along with the additional Gameover Zeus components.
Crytpolocker is meanwhile one of the latest and most menacing forms of ransomware to appear. It works by encrypting the files on the victim’s hard drive. Unlike most malware infections, no fix has been found that can decrypt the affected data. This leaves the victim with the unfortunate choice of losing their personal files or paying their attacker.
Gameover Zeus: The advanced financial fraud Trojan
Gameover Zeus is a variant of Trojan.Zbot, often known as simply ‘Zeus’, and uses a peer-to-peer network and domain generation algorithm (DGA) for command and control. In order to disrupt Gameover Zeus, key nodes on the peer network have been disabled, along with the domains generated by the DGA.
Symantec has been monitoring this botnet since it first appeared. The botmaster has maintained a relatively steady network of hundreds of thousands of infected computers around the world.
Figure 1. Countries most affected by Gameover Zeus infections
Gameover could be considered the most advanced variant of Zeus, and unlike other variants such as the Citadel and IceX Trojans, it is not for resale. The botnet can be used to facilitate financial fraud on a large scale by hijacking thousands of victims' online banking sessions. The group behind Gameover Zeus uses it to perform these fraudulent activities in real time. Gameover Zeus is typically distributed through an email which poses as an invoice. Once an infected user visits their banking website through a compromised computer, Gameover intercepts their online session using a technique commonly known as man-in-the-browser (MITB). It can bypass two factor authentication and display fraudulent banking security messages to the user to obtain information for transaction authorization. As soon as the attackers get these details, they can modify the users’ banking transactions and steal their money.
Figure 2. Typical user experience during a fraudulent transaction attempt
Based on the sophistication of this Trojan, the team behind these attacks appears to be well established and has probably been involved in financially motivated operations which pre-date the appearance of Gameover Zeus. This Trojan evolved from the Zeus source code leak in May 2011. There was a period of rapid development which included the adoption of alternative encryption schemes, a DGA and, most significantly, peer-to-peer communication. These advancements decentralized the botnet’s command-and-control (C&C) server, allowing the botnet to maintain a large infection base and became more resilient to takedown.
In 2014, Gameover adopted a low level driver, to prevent the malware from being easily uninstalled. This driver shares characteristics with a well-known threat called Backdoor.Necurs. It’s unlikely that the Gameover Zeus gang developed this component, perhaps sourcing or purchasing it from a third party. This extra layer of resistance adds yet another level of complexity in removing this malware (see link to removal tool below).
Figure 3. Gameover Zeus’s P2P botnet size
Gameover Zeus has weathered at least two previous attempts to disrupt the botnet, in the spring and autumn of 2012. The Gameover Zeus group closely monitors suspicious activity to protect the existing network of compromised computers. This is a highly profitable enterprise worth protecting and the group is known to identify weaknesses within the network and rebuild when necessary. The long term success of the recent disruption to Gameover’s operations remains to be seen.
Symantec continues to monitor the Gameover network and actively provides this data to Internet service providers (ISPs) and CERTs around the world. This data is then used to help identify and notify victims in an ongoing clean-up effort of this botnet.
Cryptolocker: An effective extortion tool
Cryptolocker is one of a large number of ransomware threats, all of which attempt to extort money from the victim by locking their computer or encrypting their files. Cryptolocker is one of the most dangerous variants of ransomware in circulation, since it employs strong encryption that cannot be broken.
The threat first appeared in September 2013 and, while it still only comprises a small percentage of overall ransomware infections, it has captured public attention because victims who don’t have their files backed up are liable to lose them unless they pay the ransom.
Ransomware, including Cryptolocker, has proven to be exceptionally lucrative for attackers. Symantec research indicates that on average, 3 percent of infected users will pay the ransom. We believe that ransomware distributors have without doubt earned tens of millions of dollars over the past year.
Victims are usually infected by spam emails which use social engineering tactics to try and entice opening of an attached zip file.
Figure 4. Cryptolocker spam email example
If victims opens the attachment, they will launch an executable file disguised to look like an invoice report or some other similar document, depending on the email theme. This executable file is will download Trojan.Zbot, aka Zeus. Once infected with Zeus, infected computer also downloads Trojan.Cryptolocker onto the system. Cryptolocker then contacts a command and control server (C&C), whose address is generated through a built-in domain generation algorithm (DGA). Once a C&C is found, Cryptolocker will download the public key that is used to encrypt the files on to the infected computer. The linked private key, which is required for decrypting the files, remains on the C&C server.
Symantec has also released a new tool that removes the component of Gameover Zeus that enables it to bypass and disable antivirus software. Visit this page to download the tool, which will allow you to remove this component and then fully remove a Gameover Zeus infection.
Gameover Zeus antivirus detections
Related component detections:
Intrusion Prevention Signatures
Symantec customers that use the Symantec.Cloud service are also protected against these threats.