Detecting And Mitigating GameOver ZeuS (GOZ)

Published on 2014-06-02 15:20:00 UTC by GovCERT.ch (permalink)
Last updated on 2014-06-02 15:29:06 UTC

Today, the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) announced the takedown of two botnets: GameOver ZeuS (GOZ) and CryptoLocker. Both botnets have been around since quite a while and were also present in Switzerland, infecting computers in order to commit ebanking fraud or to blackmail Swiss citizens. GovCERT.ch has been aware of GameOver ZeuS (which is also known as P2P ZeuS) for years and has already taken measures against this threat together with Swiss Internet service providers since July 2013.

One of the easiest ways to detect the presence of GOZ in your network is by using an Intrusion Detection or Prevention System (IDS/IPS). There are many commercial and non-commercial IDS/IPS products around. Two of the most widely used IDS/IPS are Snort and Suricata, which are both open source. Further more Snort/Suricata rules can be easily imported into commercial IDS/IPs products. One of the largest set of Snort/Suricata rules is provided by Emerging Threats (ET), but you can of course write your own rules as well.

ET provides several rules which are aimed to detect GOZ flows in your network stream. If you are already running either Snort or Suricata, or you are planing to do so, you might want to take a look at the following ET rules:

Rule ID (sid)Description
2013739ET TROJAN Zeus P2P CnC
2018296ET TROJAN Zeus GameOver Checkin
2018242ET TROJAN Possible Zeus GameOver Connectivity Check
2018316ET CURRENT_EVENTS Zeus GameOver Possible DGA NXDOMAIN Responses

Another possibility to detect GOZ botnet C&C traffic is to check the log files of your outgoing firewall. In order to communicate with the botnet operator, GOZ infected computers are using a sophisticated P2P mechanism. An infected computer will communicate with other GOZ infected computers in the internet using TCP and UDP high ports (1024 and higher). Hence if you have a computer in your network that is infected with GOZ, you will likely see a high amount of TCP and UDP drops to different IPs in the internet on high ports on your outgoing firewall.

Once you identified an infected computer, you should re-install the operating system. GOZ usually comes with an additional piece of malware to the victims computer, e.g. with the Necerus Rootkit. So even if you scan the affected computer with an up to date anti-virus software, you will never be sure if your anti virus was able to catch everything.

In case that you are not able to re-install the operating system, we have written a malware removal guide for you which is available in different languages:

Instructions for removing malware (English)
http://www.melani.admin.ch/malware-removal

Anleitung zur Entfernung von Schadsoftware (English)
http://www.melani.admin.ch/schadsoftware-entfernung

Instructions relatives à la suppression des maliciels (French)
http://www.melani.admin.ch/suppression-des-maliciels

Guida per l’eliminazione di software nocivi (Italian)
http://www.melani.admin.ch/eliminazione-di-malware

To summarize:

  • Ensure that you are using a restrictive outgoing firewall policy (default: deny all)
  • Use an IDS/IPS or analyse your outgoing firewall log files to identify GOZ infected computers in your network
  • Re-install the operating systems of infected computers and/or use a removal tool (see above)
  • As a preventive measure, you might want to use a DNS firewall (known as Response Policy Zone - RPZ) to block the DNS resolution of hostile domain names
Share on Twitter Share on Facebook

Back to top