GameOver
Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank
credential-stealing malware identified in September 2011, [1] uses a
decentralized network infrastructure of compromised personal computers
and web servers to execute command-and-control. The United States
Department of Homeland Security (DHS), in collaboration with the Federal
Bureau of Investigation (FBI) and the Department of Justice (DOJ), is
releasing this Technical Alert to provide further information about the
GameOver Zeus botnet.
GOZ,
which is often propagated through spam and phishing messages, is
primarily used by cybercriminals to harvest banking information, such as
login credentials, from a victim’s computer. [2] Infected systems can
also be used to engage in other malicious activities, such as sending
spam or participating in distributed denial-of-service (DDoS) attacks.
Prior
variants of the Zeus malware utilized a centralized command and control
(C2) botnet infrastructure to execute commands. Centralized C2 servers
are routinely tracked and blocked by the security community. [1] GOZ,
however, utilizes a P2P network of infected hosts to communicate and
distribute data, and employs encryption to evade detection. These peers
act as a massive proxy network that is used to propagate binary updates,
distribute configuration files, and to send stolen data. [3] Without a
single point of failure, the resiliency of GOZ’s P2P infrastructure
makes takedown efforts more difficult. [1]
A
system infected with GOZ may be employed to send spam, participate in
DDoS attacks, and harvest users' credentials for online services,
including banking services.
Comments