Attacks/Breaches
12/4/2012
05:05 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Gameover Zeus' Gang Launches New Attacks

Campaign includes rigged emails spoofing major U.S. banks and offering 'secure email' exchange with banking customers

The cybercrime group behind the Gameover Zeus Trojan that steals online banking creds and credit card numbers is waging a massive malicious email campaign that enlists the massive Cutwail spamming botnet to blast its emails.

Millions of emails -- many of which pose as coming from major U.S. banks -- have been spammed out in recent weeks, according to Dell SecureWorks' Counter Threat Unit. The phony but convincing-looking emails appeal to a more security-minded banking customer: "You have received a new encrypted message or a secure message from [XYZ] Bank," one of the email campaigns says, noting that the bank has set up a secure email exchange for its customers as a way to allay privacy and security concerns.

The message includes an infected attachment that the "bank" requires for download and registration to the supposed secure email system. Once downloaded, it executes the pony downloader Trojan that installs Gameover and steals online banking credentials, credit card account numbers, and other information.

Another email campaign claims the recipient has received a fax, scan, or voicemail, and includes a "free program" for retrieving the message -- but, of course, the attachment installs the malware.

The Gameover gang, unlike some cybercrime groups, doesn't lease or sell its malware or services. It's a closed operation that, instead, sometimes contracts resources such as the Cutwail botnet to transport its attacks. More than half of the Top 20 Fortune 500 firms were infected with the Trojan as of this summer, according to SecureWorks, which in July published a report on Gameover

"This particular group has found a combination of malware, tactics, and procedures that leads to success for them. They will continue to follow the same process [of working this way]," says Jon Ramsey, CTO of Dell SecureWorks. "The malware they use is a private version of theirs, and they don't sell it on the black market. They feel there's more of an upside financially in keeping it private."

Ramsey says the gang has had plenty of success creating large botnets for both sending more malicious spam and conducting distributed denial-of-service attacks. They're using a dual-botnet sort of model with Cutwail transporting the spam, and subsequently infected Gameover bots spreading their infections and doing the Gameover botnet operators' bidding.

About 678,205 machines were infected with Gameover Zeus in August, according to SecureWorks, and it's the biggest botnet targeting financial institutions today. Fourteen of the 20 top Fortune 500 firms are infected, including financial services firms, defense contractors, government agencies, law enforcement, military, and universities.

The peer-to-peer Gameover botnet was structured to deter disruption and to make attribution more difficult. Even so, peer-to-peer botnets are easier to "poison" by using phony peers that allow researchers to sinkhole traffic, according to Brett Stone-Gross, who has closely studied Gameover.

"The P2P ZeuS crew receives considerable support from the products and services offered by the underground community, who collectively fulfill vital functions to plan and execute a large successful cybercriminal operation. Moreover, the large number of compromised personal computers and web servers provide a robust and low cost infrastructure for a variety of malicious activities," Stone-Gross wrote in his report.

[Trade-offs are a fact of life for network defenders, but attackers have to abide them as well. See The Attacker's Trade-Off: Stealth Versus Resilience.]

Cutwail, one of the world's largest botnets, to date contains around 500,000 or so bots, according to SecureWorks data.

Researchers at LookingGlass Cyber Solutions say the top 10 countries infected by the Cutwail botnet, in order, are: India, Iran, China, Vietnam, Ukraine, Kazakhstan, Belarus, the U.S., South Korea, and Brazil.

"We saw 43,332 unique hosts infected with Cutwail on December 3, 2012," says Jason Lewis, chief scientist with LookingGlass. Overall, the researchers saw some 203,117 bots sending spam -- from botnets including Cutwail, Asprox, Festi, and Kelihos.

"About 3,000 hosts had multiple infections," Lewis says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Strategist
12/5/2012 | 2:39:04 PM
re: 'Gameover Zeus' Gang Launches New Attacks
Attacks on banks continue to be a favorite for cybercriminals. I'll be posting a story on a new attack on European banks later today.-á
-- Tim Wilson, editor, Dark Reading
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.