Inside the GameOver Zeus takedown

How the US Department of Jutstice took down GameOverZeuS (GOZ), a botnet in control of up to 1m Windows computers

Tags: AccessData Group LLC (
  • E-Mail
Inside the GameOver Zeus takedown Lucas Zaichkowsky, enterprise defence architect at AccessData.
By  Lucas Zaichowsky Published  August 18, 2014

In addition to the operation that saw GOZ taken down, Operation Tovar, the DoJ added they have disrupted the use of ransomware called CryptoLocker, known for encrypting documents on infected systems to make them unreadable. The attackers confronted their victims and proceeded to extort money in exchange for file recovery. The DoJ estimates there were 234,000 infections and more than $27 million in payments in the first two months of operation.

The operators of GameOverZeuS attracted close attention from authorities due to the extensive wire fraud activity. TheGameOver Zeus attackers conducted DDoS attacks to distract banks while committing wire fraud and stealing hundreds of thousands of dollars.

What is not well known is that these attacks were widespread for a long time and caused a big scare in the financial services industry. According to several inside sources I have spoken with, a significant number of banks were hit by these attacks.

Thanks to the continual flow of information shared among peer groups, such as Information Sharing & Analysis Centres (ISACs), participating organisations knew what signs to look for to avoid losses from these types of attacks.

The major difficulty in unravelling the GameOverZeuS botnet infrastructure is mapping it out. Structured peer-to-peer (P2P) architecture allowed attackers to control their botnet army by accessing any infected system. Making matters even tougher, ZeuS botnet operators made it difficult to locate all infected systems using anti-virus and next-gen anti-malware products. They distributed generic droppers via email by attaching a .zip file containing an executable, disguised as a document, or providing a link to web sites hosting popular exploit kits such as Blackhole. Exploit kits identify unpatched software for each visitor, then exploit those specific unpatched vulnerabilities.

However, the initial dropper would not be classified as ZeuS. It would contain a list of hard-coded addresses for the ZeuS download. After the dropper downloads and executes ZeuS, a new variant is created on the fly for each infection and the original downloaded ZeuS.exe is deleted. This makes it difficult for anti-virus vendors to identify all compromised systems since each infection is a unique variant requiring more signatures.

According to a blog post by Dell SecureWorks, a successful takedown of GameOverZeuS required collaboration to simultaneously hijack DNS domains while blocking infected systems at ISPs and the sharing of information with other security organisations.

Botnets such as ZeuS are extremely common and simple to operate with no investment. ZeuS source code is already freely available on the Internet for anyone to modify and create their own variants that are undetectable by anti-virus software. Once developed, attackers launch phishing campaigns with attached files or exploit kits to prevent email attachments from getting blocked.

A little over a month ago, I received an e-mail containing a dropper attributed to GameOverZeuS. Manual analysis uncovered that the dropper planted and executed a second-stage dropper that would in turn download a package over the Internet. It contained a special-purpose, password-stealing version of ZeuS used to harvest saved passwords from popular software such as web browsers and it also loaded up CryptoLocker.

In the comments section of a VirusTotal report for the dropper, I provided my manual analysis results. If you compare it against automated analysis results from Malwr and Sophos, you can see that the package, with the password-stealing ZeuS, was only detected on six of 52 anti-virus engines several days after it was submitted to the anti-virus vendors.

Fast forward to today and I am afraid the detection results are not much better. Most anti-virus vendors reject the submission I sent in because it is a bundle, not actual binaries that can be executed standalone. Even more noteworthy, automated analysis results only acknowledged one of two domains and not the second-stage dropper which was programmed with the ZeuS package. Knowing both domains and all the other intermediary files is key to uncovering more infected systems and blocking future infections from that attack campaign.

To illustrate a more recent example, I did a manual analysis on a fresh dropper unrelated to GameOverZeuS that arrived in my home e-mail on June 1. The automated Malwr report identified one domain the dropper downloads ZeuS from. Manual analysis uncovered all 10 and a narrative sequence of events. Again, this example highlights the important need to investigate all threats thoroughly.

Why is all of this important? Missing hosts with backdoors planted and compromised credentials is the primary reason hacking intrusions are not discovered until after the major damage is done. For example, in the recent eBay intrusion, attackers used compromised employee credentials to log in and make their way to steal a database, affecting 145 million users. Undoubtedly, the hackers are cracking passwords from that dump and will use them to break into other organisations. It is also common for these attackers to sell access on the black market to those willing to pay a high premium. As seen in past database dumps, the success rate at cracking passwords is abysmally high. By using wordlists with real-world passwords and high-rate GPU cracking, it is easy to crack all but the most complex passwords using cheap consumer hardware.

The significance of GameOverZeuS and recent high-profile attacks reinforces the necessity to have the right tools and processes necessary to identify and understand threats, successfully remediate the incident, block future related threats, and identify ones that still manage to slip through to the endpoints. Documenting findings as Indicators of Compromise (IoCs) and then applying them at the endpoint level, in network traffic, and by searching logfiles is how mature security teams accomplish these goals.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code