[SECURITY-L] TA14-150A: GameOver Zeus P2P Malware
CSIRT - UNICAMP
security em unicamp.br
Seg Jun 2 09:12:48 -03 2014
-------- Original Message --------
Subject: TA14-150A: GameOver Zeus P2P Malware
Date: Mon, 02 Jun 2014 06:07:49 -0500
From: US-CERT <US-CERT em ncas.us-cert.gov>
Reply-To: US-CERT em ncas.us-cert.gov
To: daniela em ccuec.unicamp.br
TA14-150A: GameOver Zeus P2P Malware
NCCIC / US-CERT
National Cyber Awareness System:
TA14-150A: GameOver Zeus P2P Malware
<https://www.us-cert.gov/ncas/alerts/TA14-150A>
06/02/2014 08:15 AM EDT
Original release date: June 02, 2014
Systems Affected
* Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
* Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012
Overview
GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of
bank credential-stealing malware identified in September 2011_ ^1 ,
uses a decentralized network infrastructure of compromised personal
computers and web servers to execute command-and-control. The United
States Department of Homeland Security (DHS), in collaboration with the
Federal Bureau of Investigation (FBI) and the Department of Justice
(DOJ), is releasing this Technical Alert to provide further information
about the GameOver Zeus botnet.
Description
GOZ, which is often propagated through spam and phishing messages, is
primarily used by cybercriminals to harvest banking information, such as
login credentials, from a victim’s computer^2 . Infected systems can
also be used to engage in other malicious activities, such as sending
spam or participating in distributed denial-of-service (DDoS) attacks.
Prior variants of the Zeus malware utilized a centralized command and
control (C2) botnet infrastructure to execute commands. Centralized C2
servers are routinely tracked and blocked by the security community^1 .
GOZ, however, utilizes a P2P network of infected hosts to communicate
and distribute data, and employs encryption to evade detection. These
peers act as a massive proxy network that is used to propagate binary
updates, distribute configuration files, and to send stolen data^3 .
Without a single point of failure, the resiliency of GOZ’s P2P
infrastructure makes takedown efforts more difficult^1 .
Impact
A system infected with GOZ may be employed to send spam, participate in
DDoS attacks, and harvest users' credentials for online services,
including banking services.
Solution
Users are recommended to take the following actions to remediate GOZ
infections:
* /Use and maintain anti-virus software/ - Anti-virus software
recognizes and protects your computer against most known viruses. It
is important to keep your anti-virus software up-to-date (see
Understanding Anti-Virus Software
<http://www.us-cert.gov/ncas/tips/ST04-005> for more information).
* /Change your passwords/ - Your original passwords may have been
compromised during the infection, so you should change them (see
Choosing and Protecting Passwords
<http://www.us-cert.gov/ncas/tips/ST04-002> for more information).
* /Keep your operating system and application software up-to-date/ -
Install software patches so that attackers can't take advantage of
known problems or vulnerabilities. Many operating systems offer
automatic updates. If this option is available, you should enable it
(see Understanding Patches
<http://www.us-cert.gov/ncas/tips/ST04-006> for more information).
* /Use anti-malware tools/ - Using a legitimate program that
identifies and removes malware can help eliminate an infection.
Users can consider employing a remediation tool (examples below)
that will help with the removal of GOZ from your system.
*F-Secure*
http://www.f-secure.com/en/web/home_global/online-scanner (Windows
Vista, 7 and 8)
http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142
(Windows XP systems)
*Heimadal*
http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and
8.1)
*Microsoft *
http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows
8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
*Sophos *
http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)
*Symantec *
http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network_(_Windows
XP, Windows Vista and Windows 7)
*Trend Micro*
http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista,
Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and
Windows Server 2008 R2)
The above are examples only and do not constitute an exhaustive list.
The U.S. Government does not endorse or support any particular product
or vendor.
References
* Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of
Gameover Zeus
<http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf>
* Malware Targets Bank Accounts
<http://www.fbi.gov/news/stories/2012/january/malware_010612/malware_010612>
* The Lifecycle of Peer-to-Peer (Gameover) ZeuS
<http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/>
Revision History
* Initial Publication
------------------------------------------------------------------------
This product is provided subject to this Notification
<http://www.us-cert.gov/privacy/notification> and this Privacy & Use
<http://www.us-cert.gov/privacy/> policy.
------------------------------------------------------------------------
OTHER RESOURCES:
Contact Us <http://www.us-cert.gov/contact-us/> | Security Publications
<http://www.us-cert.gov/security-publications> | Alerts and Tips
<http://www.us-cert.gov/ncas> | Related Resources
<http://www.us-cert.gov/related-resources>
STAY CONNECTED:
Sign up for email updates
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new>
SUBSCRIBER SERVICES:
Manage Preferences
<http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true> | Unsubscribe
<https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.7c8ce4d3117305e79fd4ab8b330b9e90&destination=daniela@ccuec.unicamp.br> | Help
<https://subscriberhelp.govdelivery.com/>
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L