User Alert: Gameover Zeus Botnet Taken Over but Danger has not Passed
Kaspersky Lab’s analysts have stated that, although the operation of the Gameover Zeus botnet has been disrupted, it is too early to celebrate complete victory. Gameover Zeus was one of the largest operating botnets based on the code of the banking Trojan Zeus. In addition to infecting computers with Zeus Trojan in order to steal login credentials for online e-mail accounts, social networks, online banking and other online financial services, the botnet also distributed Cryptolocker — malware that is used to encrypt data and then issue a ransom demand. Gameover Zeus botnet was based on a decentralized network infrastructure made up of compromised computers and servers. It used a P2P network to communicate with, and receive commands from, the operator of the botnet, and a domain generation algorithm to create domain names that were used as rendezvous points in case of a failure of the P2P process. The police operation, “Operation Tovar”, merely disrupted both methods of communication, so that the cybercriminals behind the botnet could no longer control it. However, the owner of the Zeus botnet is still hiding, and may well be preparing an alternative way of communicating with the compromised bots.
Financial cyber threats in 2013
The study has clearly demonstrated that users’ electronic money is under constant threat. Whenever users work with their accounts via online banking or pay for their purchases in online stores, cybercriminals are there hunting for their money.
All types of financial threats demonstrated a significant growth in 2013. The proportion of phishing attacks involving bank brands doubled and that of malware-based financial attacks was a third greater than the year before.
There were no ‘newcomers’ in the financial malware segment which could have an impact comparable to that of Zbot and Qhost. Those two and other infamous Trojans were responsible for the majority of attacks during the past year. However, cybercriminals have once again demonstrated that they are keen to follow any changes in market conditions: the dramatic growth in attacks designed to steal Bitcoins, which began in late 2012, continued in 2013.
Kaspersky Lab’s security research team discovered “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).
Kaspersky Lab’s team of experts discovered a cyber-espionage operation exposing a new emerging trend: appearance of small groups of cyber-mercenaries available for hire to perform surgical hit and run operations. The APT group focuses on targets in South Korea and Japan, hitting the supply chain for Western companies. The operation started in 2011 and has increased in size and scope over the last few years. Based on the profiles of identified targets, the attackers appear to have an interest in the following sectors: military, shipbuilding and maritime operations, computer and software development, research companies, telecom operators, satellite operators, mass media and television.