This week, a ring of cybercriminals responsible for the GameOver Zeus botnet was shut down following an international police effort. Behind this malware was an organized group responsible for stealing data and money from millions of users.
This malware has been around for several years and is known and blocked by Avira. The latest version had been somewhat harder to detect due to encryption and was bundled since March with a Necurs rootkit.
How it works
Victims are often infected via their mailbox: they receive spam (for instance a false invoice, a voice message, or job offer) with an attached file. If the file, which looks like a regular document, is opened, the machine will get infected by the GameOver Zeus malware.
The GameOver Zeus is a P2P (peer to peer) variant of the Zbot (Zeus) family, which steals online banking credentials. It is also used for other malicious activities such as spamming, spreading other malware or distributing denial of service (DDoS) attacks. GameOver Zeus is estimated to have infected 1 million users around the world and has induced over tin losses.
One illustration of malware it spreads was the Cryptolocker, also known as Ransomware. Unlike common Ransom files, which usually freeze the PC and ask for money to unlock it, this malware encrypts the files of the hard drive (e.g., photos or documents). Access to these files is restricted until the user pays a ransom to unlock them. An estimated 250,000 computers have been infected and over 25 million dollars were paid to remove the Cryptolocker.
Here are some of the decrypted strings from GameOver Zbot related to data theft:
0×65: “Google Talk”
0x6A: “From: %s – To: %s
0×83: “Macromedia\Flash Player”
0×86: “Windows Address Book”
0×89: “Windows Contacts”
0x8D: “Windows Mail Recipients”
0x8E: “Outlook Express Recipients”
0×92: “Software\Microsoft\Windows Live Mail”
0×94: “Salt”0×96: “Windows Mail”
0×97: “Windows Live Mail”
0x9B: “%sAccount name: %s
0x9C: “%s: Server: %s:%u%s – Username: %s – Password: %s
0xA5: ” (SSL)”
How can you protect yourself?
- Keep all OS and applications updated: updates are vital for patching vulnerabilities and other known issues that the OS or app might have
- Change passwords regularly
- Be safe online with an antivirus software: http://www.avira.com/en/avira-free-antivirus
- Keep Avira Antivirus updated with the latest signatures and run periodical scans.
What to do in case of infection?
We strongly recommend running a system scan using the Avira Rescue System which blocks malware from affecting scan results.
Here are some additional steps you can take in case your computer has a malware infection.
The most important thing: Never, ever pay the ransom!
Unfortunately, it is not possible to decrypt the files that the malware encrypted on your own. The asymmetric cryptography makes this task almost impossible. The only option to get your files back is restoring them from a backup.
Mikel Echevarria Lizarraga