Zeus-family trojan spreads by way of spam botnet


A new wave of spam campaigns are dispensing "Gameover,” the only banking trojan in the Zeus family to use peer-to-peer (P2P) communications to hide its activities. 

The threat of the malware has become even more pervasive now that criminals are using Cutwail, the world's largest spam botnet, to deliver malicious emails containing Gameover. The spam is made to look like messages from top U.S. banks, researchers at Dell SecureWorks Counter Threat Unit (CTU) found, with the hopes of luring users into clicking attached PDF files.

Brett Stone-Gross, a senior security researcher, told Wednesday that the botnet consists of about 200,000 compromised PCs distributing Gameover, which has resulted in more than half a million infections.

The deceptive emails often say that they are “secure” messages from banks, and the PDF attachment even reads “” Once users download the attachment, a downloader called “Pony” is executed, which installs Gameover. The trojan was discovered in October 2011, likely related to the leak of Zeus source code five months earlier.

In addition to the standard malicious capabilities of Zeus trojans, like logging victims' keystrokes to steal banking credentials, Gameover is especially insidious because a complementary capability allows it to launch distributed denial-of-service (DDoS) attacks against financial institutions.

“The interesting thing that we've seen with this group [of attackers] is they've used DDoS attacks against financial institutions to distract them from Zeus attacks,” Stone-Gross said.

The botnet's P2P communications make it particularly hard to shut down, he added.

“What makes this unique and very different from a centralized botnet is there is no central point of communication that can be targeted by law enforcement,” Stone-Gross said. “In a peer-to-peer network, infected systems constantly communicate with each other instead of the [command-and-control] server and exchange binary files, configuration files and send stolen data to [designated] peers.”

In January, the FBI warned users of Gameover attackers who spread the trojan through phishing scams that claimed to be correspondence from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank and the Federal Deposit Insurance Corp. (FDIC).

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.