UAE ranks third in GameOver ZeUS hitlist
Symantec reveals tens of thousands of machines in the Emirates infected by financial malware
The UAE ranks third in a list of countries most affected by the GOZ (GameOver ZeuS) botnet, according to statistics released by Symantec Corp.
Symantec shared the breakdown of the top six nations hit by the financially motivated botnet following an FBI shutdown of the network earlier this week. Symantec and Australian Federal Police were both reportedly instrumental in the operation, but the shutdown was said to be temporary and users were warned they had two weeks to protect their computers before the GOZ command-and-control system would be restored.
The UAE accounted for 8% of reported GOZ infections worldwide. If Symantec's figures are accurate this would translate to between 40,000 and 80,000 infections in the Emirates, based on FBI estimates of 500,000 to 1m global incursions of the malware. Other countries in Symantec's top six are the US (13% of reported infections), Italy (12%), Japan (7%), UK (7%) and India (5%).
GameOver ZeUS infects by stealth and monitors a target machine for finance-related information. It is also able to take control of private online transactions and divert funds into criminals' accounts.
"What is not well known is that these attacks were widespread for a long time and caused a big scare in the financial services industry," said Lucas Zaichkowsky, enterprise defence architect at AccessData, in a report shared today with ITP.net.
"According to several inside sources I have spoken with, a significant number of banks were hit by these attacks. Thanks to the continual flow of information shared among peer groups, such as Information Sharing and Analysis Centres (ISACs), participating organisations knew what signs to look for to avoid losses from these types of attacks."
Continues on next page>>
ZeUS has been around for a long time and has built a reputation as a particularly devious banking Trojan. Part of the difficulty of combating it lies in its ability to create subtly new versions of itself so that a solid signature can never be established and written into anti-virus databases.
"The major difficulty in unravelling the GameOver ZeuS botnet infrastructure is mapping it out," Zaichkowsky explained.
"Structured peer-to-peer (P2P) architecture allowed attackers to control their botnet army by accessing any infected system. Making matters even tougher, ZeuS botnet operators made it difficult to locate all infected systems using antivirus and next-gen antimalware products. They distributed generic droppers via email by attaching a zip file containing an executable, disguised as a document, or providing a link to websites hosting popular exploit kits such as Blackhole. Exploit kits identify unpatched software for each visitor, then exploit those specific unpatched vulnerabilities."
The FBI has named Russian national Evgeniy Mikhailovich Bogachev as the mastermind behind the GOZ net, which is believed to have netted criminals hundreds of millions of dollars.
"It keeps track of balances; it automatically corrects the numbers on the balance. It's so sophisticated that it hides its tracks," said Nick Savvides, senior principal systems engineer at Symantec in Australia.
GOZ was also thought to have been responsible for distribution of Cyptolocker ransomeware, which encrypts files on a target machine and demands a one-bitcoin payment for the decryption key. The encryption is so effective it also impossible to force-crack the encryption lock. According to a report from the UK's Daily Mail, US authorities have confirmed that at least one police force payed the ransom to retrieve locked files containing sensitive data.