The anatomy of the Gameover Zeus variant
Posted on 11.01.2012
The “Gameover” malware is a relatively new, "private" version of ZeuS. Support for the distributed command and control (C2) tools, integrated into the ZeuS botnet, were implemented at the request of one of the "private" clients of the ZeuS author.

Distributed C2 is a feature which was originally considered by the malware author in the ZeuS 1.4/2.0 beta program, but it was dropped from the final 2.0.x release because lack of demand among ZeuS customers in the face of significant coding and testing time. It was put back in as a feature during the recent, ongoing 2.2/3.0 beta program.

The “Gameover” version of Zeus also supports the use of complex web injections that allow the attacker to perform Man-in-the-Browser (MITB) attacks to bypass multi-factor authentication mechanisms. The ZeuS author has also rolled a Distributed Denial of Service (DDoS) component into the Gameover bundle.

Gameover has been used in this way. First, financial institutions were targeted with DDoS attacks against their online banking websites. These attacks were timed to coincide shortly after accounts at the targeted financial institution had fraud committed against them.

These DDoS attacks provide the two-fold effect of potentially distracting the financial institution from observing the fraudulent activity and preventing the customer from logging into their account and noticing the fraudulent activity.

The targeted financial accounts are typically business accounts which utilize Automated Clearing House (ACH) and wire transfer payment services. As reported, in some instances, the stolen funds were wire transfers to jewelry stores, where the criminal had made arrangements for someone to pick up merchandise in the amount of the funds wired to the store.


Don Jackson, senior security researcher with the Counter Threat Unit at Dell SecureWorks.





Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //