Zeus-family trojan spreads by way of spam botnet

Share this article:

A new wave of spam campaigns are dispensing "Gameover,” the only banking trojan in the Zeus family to use peer-to-peer (P2P) communications to hide its activities. 

The threat of the malware has become even more pervasive now that criminals are using Cutwail, the world's largest spam botnet, to deliver malicious emails containing Gameover. The spam is made to look like messages from top U.S. banks, researchers at Dell SecureWorks Counter Threat Unit (CTU) found, with the hopes of luring users into clicking attached PDF files.

Brett Stone-Gross, a senior security researcher, told SCMagazine.com Wednesday that the botnet consists of about 200,000 compromised PCs distributing Gameover, which has resulted in more than half a million infections.

The deceptive emails often say that they are “secure” messages from banks, and the PDF attachment even reads “securemessage.pdf.zip.” Once users download the attachment, a downloader called “Pony” is executed, which installs Gameover. The trojan was discovered in October 2011, likely related to the leak of Zeus source code five months earlier.

In addition to the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, Gameover is especially insidious because a complementary capability allows it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

“The interesting thing that we've seen with this group [of attackers] is they've used DDoS attacks against financial institutions to distract them from Zeus attacks,” Stone-Gross said.

The botnet's P2P communications make it particularly hard to shut down, he added.

“What makes this unique and very different from a centralized botnet is there is no central point of communication that can be targeted by law enforcement,” Stone-Gross said. “In a peer-to-peer network, infected systems constantly communicate with each other instead of the [command-and-control] server and exchange binary files, configuration files and send stolen data to [designated] peers.”

In January, the FBI warned users of Gameover attackers who spread the trojan through phishing scams that claimed to be correspondence from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank and the Federal Deposit Insurance Corp. (FDIC).

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.