User Alert: Gameover Zeus Botnet Taken Over but Danger has not Passed

17 Jun 2014

Kaspersky Lab’s analysts have stated that, although the operation of the Gameover Zeus botnet has been disrupted, it is too early to celebrate complete victory. Gameover Zeus was one of the largest operating botnets based on the code of the banking Trojan Zeus. In addition to infecting computers with Zeus Trojan in order to steal login credentials for online e-mail accounts, social networks, online banking and other online financial services, the botnet also distributed Cryptolocker — malware that is used to encrypt data and then issue a ransom demand. Gameover Zeus botnet was based on a decentralized network infrastructure made up of compromised computers and servers. It used a P2P network to communicate with, and receive commands from, the operator of the botnet, and a domain generation algorithm to create domain names that were used as rendezvous points in case of a failure of the P2P process. The police operation, “Operation Tovar”, merely disrupted both methods of communication, so that the cybercriminals behind the botnet could no longer control it. However, the owner of the Zeus botnet is still hiding, and may well be preparing an alternative way of communicating with the compromised bots.

Firstly, there are still up to a million computers infected with the Zeus botnet and Cryprolocker on the Internet. Until the malware has been cleaned from these computers, the possibility of a revival of the botnet remains very high. Secondly, Gameover was only one method of distributing Cryptolocker and cybercriminals have other means to spread it, for example as an e-mail attachment. Cryptolocker’s file encryption algorithm cannot be deciphered without paying the ransom, so nothing can help victims that have already suffered from this malware, unless they already had a backup of their data. All claims of the possibility to “fix” data that has been encrypted by Cryptolocker are nothing more than a fake. At best, this is an attempt to sell an inoperable solution, at worst — it’s an additional malware distribution method.


Kaspersky Lab products detect all malware that has been mentioned above: Trojan-Spy.Win32.Zbot (GameOver Zeus) and Ransom.Win32.Cryptolocker or Trojan-Ransom.Win32.Blocker (Cryptolocker).

Kaspersky Internet Security and Kaspersky PURE products are also equipped with Safe Money – an additional protection layer capable of blocking ‘man in the browser’ attacks of the type often used by malware like Zeus to steal banking credentials.

In addition to protecting computers with a quality security product, it is also advisable to make regular backups of sensitive and valuable information. If you have a backup – even if that just means you manually drag-and-drop files onto a USB drive that you trust – then you can avoid stressful situations that threaten to wipe your data.


Gameover Zeus malware can be removed with the use of TDSSKiller tool, created by Kaspersky Lab almost six months ago.