The anatomy of the Gameover Zeus variant
The “Gameover” malware is a relatively new, “private” version of ZeuS. Support for the distributed command and control (C2) tools, integrated into the ZeuS botnet, were implemented at the request of one of the “private” clients of the ZeuS author.
Distributed C2 is a feature which was originally considered by the malware author in the ZeuS 1.4/2.0 beta program, but it was dropped from the final 2.0.x release because lack of demand among ZeuS customers in the face of significant coding and testing time. It was put back in as a feature during the recent, ongoing 2.2/3.0 beta program.
The “Gameover” version of Zeus also supports the use of complex web injections that allow the attacker to perform Man-in-the-Browser (MITB) attacks to bypass multi-factor authentication mechanisms. The ZeuS author has also rolled a Distributed Denial of Service (DDoS) component into the Gameover bundle.
Gameover has been used in this way. First, financial institutions were targeted with DDoS attacks against their online banking websites. These attacks were timed to coincide shortly after accounts at the targeted financial institution had fraud committed against them.
These DDoS attacks provide the two-fold effect of potentially distracting the financial institution from observing the fraudulent activity and preventing the customer from logging into their account and noticing the fraudulent activity.
The targeted financial accounts are typically business accounts which utilize Automated Clearing House (ACH) and wire transfer payment services. As reported, in some instances, the stolen funds were wire transfers to jewelry stores, where the criminal had made arrangements for someone to pick up merchandise in the amount of the funds wired to the store.
Don Jackson, senior security researcher with the Counter Threat Unit at Dell SecureWorks.