Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/31/2012
07:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

More Than Half Of Top 20 Fortune 500 Firms Infected With 'Gameover' Zeus Botnet

Financial botnet has amassed some 680,000 bots

The Gameover Zeus botnet is now the biggest financial fraud botnet around, and it's run by a single cybercrime group out of Eastern Europe, according to new research.

Click here for more of Dark Reading's Black Hat articles.

Brett Stone-Gross, senior security researcher with Dell Secureworks, has been closely monitoring the botnet since late April, with his team "crawling" the peer-to-peer botnet to determine its size and scope, and counted some 678,205 infected bots. He published his overall findings on the inner workings of the botnet last week during Black Hat USA.

"There's one group behind it," Stone-Gross says. "And it's the largest financial botnet out there."

They key to its success, he says, is it has a "huge number" of servers that it has compromised, and it rents out the Cutwail spam botnet to deliver its initial payload via phishing emails impersonating legitimate companies, including cellular phone companies, retailers, social networking sites, and financial institutions. "They take a legitimate email and replace a link inside it" that sends the victim to one of their compromised websites, he says.

The victims who fall for the email ruses -- invoices, order confirmations, or warnings about unpaid bills -- become part of the peer-to-peer Zeus-based Gameover botnet. "If you click the link, you see the fake loading page, which loads JavaScript from three different compromised sites," Stone-Gross says.

Stone-Gross and his team found some 1.5 million unique IP addresses infected with Gameover, with the U.S. (150,204 bots), Germany (48.853 bots), and Italy (34,361 bots) suffering the most infections. Infections have hit not only the Fortune 500, but also universities, hospitals, financial institutions, defense contractors, government agencies, and law enforcement.

Recent data from LookingGlass Cyber Solutions said that 18 of the 24 largest banks around the world suffer from infamous malware, including Gameover Zeus, DNS Changer, BlackHole Exploit Kit, and fake antivirus.

Dell Secureworks' Stone-Gross says Gameover is all about stealing victims' online credentials and other personal information. Once they are infected and visit their online retailer, for example, it prompts them for information, such as Social Security number, mother's maiden name, credit-card number, and date of birth.

"They also track their success of infection, such as which exploits worked," Stone-Gross says.

Gameover also employs the DirtJumper tool to DDoS financial institutions while it steals their customers' funds. It uses a downloader called Pony Loader that downloads the peer-to-peer communication of Zeus, and steals HTTP, FTP, and email credentials.

"What's interesting about Gameover is that it's a P2P network, and the robustness of the network itself. Each malware sample includes a hard-coded peers list, and the bot tries to reach out to them and request information, configuration files, version information, and binary updates," Stone-Gross says. The architecture has its own failover mechanism, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29445
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29446
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
CVE-2021-29451
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
CVE-2021-29452
PUBLISHED: 2021-04-16
a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this ...
CVE-2021-29444
PUBLISHED: 2021-04-16
jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDec...