Zeus-family trojan spreads by way of spam botnet

Share this article:

A new wave of spam campaigns are dispensing "Gameover,” the only banking trojan in the Zeus family to use peer-to-peer (P2P) communications to hide its activities. 

The threat of the malware has become even more pervasive now that criminals are using Cutwail, the world's largest spam botnet, to deliver malicious emails containing Gameover. The spam is made to look like messages from top U.S. banks, researchers at Dell SecureWorks Counter Threat Unit (CTU) found, with the hopes of luring users into clicking attached PDF files.

Brett Stone-Gross, a senior security researcher, told SCMagazine.com Wednesday that the botnet consists of about 200,000 compromised PCs distributing Gameover, which has resulted in more than half a million infections.

The deceptive emails often say that they are “secure” messages from banks, and the PDF attachment even reads “securemessage.pdf.zip.” Once users download the attachment, a downloader called “Pony” is executed, which installs Gameover. The trojan was discovered in October 2011, likely related to the leak of Zeus source code five months earlier.

In addition to the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, Gameover is especially insidious because a complementary capability allows it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

“The interesting thing that we've seen with this group [of attackers] is they've used DDoS attacks against financial institutions to distract them from Zeus attacks,” Stone-Gross said.

The botnet's P2P communications make it particularly hard to shut down, he added.

“What makes this unique and very different from a centralized botnet is there is no central point of communication that can be targeted by law enforcement,” Stone-Gross said. “In a peer-to-peer network, infected systems constantly communicate with each other instead of the [command-and-control] server and exchange binary files, configuration files and send stolen data to [designated] peers.”

In January, the FBI warned users of Gameover attackers who spread the trojan through phishing scams that claimed to be correspondence from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank and the Federal Deposit Insurance Corp. (FDIC).

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.