GMA News Online

'Gameover' malware traced to Zeus trojan

January 25, 2012 6:37pm
The "Gameover" malware that is now the subject of a warning by the US Federal Bureau of Investigation may trace its roots to the money-stealing Zeus Trojan, a security researcher has said.
PC World quoted Dell SecureWorks' counter-threat unit head Don Jackson as saying Gameover is the "latest and greatest" source code package from Zeus' maker.
"[New features] in Gameover will be rolled into the final Zeus version 3, which is in beta and will wrap up soon if it hasn't already," PC World quoted Jackson as saying.
Earlier this month, the FBI warned the public of increased action by Gameover, including rounds of spam that tried to dupe recipients into infecting their PCs with the malware.
The malware is designed to steal individuals' and companies' bank accounts.
The FBI said the malware is appropriately called “Gameover” because "once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions." ()
It said Gameover is a newer variant of the Zeus malware, which was created several years ago and specifically targeted banking information.
Once the perpetrators access a victim's account, they conduct a distributed denial of service attack on the financial institution’s server.
"Recent investigations have shown that some of the funds stolen from bank accounts go towards the purchase of precious stones and expensive watches from high-end jewelry stores. The criminals contact these jewelry stores, tell them what they’d like to buy, and promise they will wire the money the next day. So the next day, a person involved in the money laundering aspect of the crime—called a 'money mule'—comes into the store to pick up the merchandise. After verifying that the money is in the store’s account, the jewelry is turned over to the mule, who then gives the items to the organizers of the scheme or converts them for cash and uses money transfer services to launder the funds," it said.
More dangerous
Jackson, who has been tracking Zeus and its developer for years, said Gameover posed a new and more dangerous threat because Zeus' maker created it specifically at the behest of one of his biggest clients.
"The crew using Gameover has requested a lot of changes in the Zeus functionality," said Jackson, adding that the hacker crew using Gameover has direct access to Zeus' maker because it pays him well and often for support.
He said the Zeus author now has only three or four major clients, abandoning "small fish" to focus on supporting a handful of customers who pay top dollar.
The PC World story said the additions demanded by the Gameover gang, which the Zeus developer quickly created, included a new, more distributed form of command-and-control (C&C).
Such a C&C uses a peer-to-peer function to update infected machines, should a botnet's single C&C server be discovered by authorities and taken offline.
Gameover also supports complex Web injections that allow criminals to bypass multi-factor authentication now used by many financial institutions to stymie account plundering.
The crew also asked for changes to Zeus that would let the gang rent third-party botnets that specialize in conducting distributed denial-of-service (DDoS) attacks, Jackson added.
Jackson and the FBI said the Gameover gang has launched DDoS attacks against banks and other financial institutions immediately after emptying accounts of funds.
"All these changes were negotiated with the Zeus author," said Jackson. "DDoS attacks attract a lot of attention, so it makes sense that [the Gameover crew] wants to distance themselves somewhat from them."
More aggressive attacks
If, as Jackson suspects, Gameover is a preview of the next Zeus, it may mean more aggressive attacks by other groups that pay the Zeus author to maintain the newest version and support their fix and change requests.
Most experts, including Jackson, believe these gangs operate out of Eastern Europe, primarily Russia and Ukraine. — TJD, GMA News
Go to comments

We welcome healthy discussions and friendly debate! Please click Flag to alert us of a comment that may be abusive or threatening. Read our full comment policy here.
Comments Powered by Disqus