The original notice on GameOver Zeus appeared on the US-CERT site. If you’d like to go directly to the tests for the GameOver Zeus virus, scroll down.
Overview of GameOver Zeus
GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011,  uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.
Systems Affected by GameOver Zeus Virus
- Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
- Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012
Impact of GameOver Zeus
A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.
Solutions to GameOver Zeus
Users are recommended to take the following actions to remediate GOZ infections:
- Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date.
- Change your passwords – Your original passwords may have been compromised during the infection, so you should change them
- Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it
- Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.
http://www.f-secure.com/en/web/home_global/online-scanner(link is external) (Windows Vista, 7 and 8)
http://goz.heimdalsecurity.com/(link is external) (Microsoft Windows XP, Vista, 7, 8 and 8.1)
www.mcafee.com/stinger(link is external) (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)
http://www.microsoft.com/security/scanner/en-us/default.aspx(link is external) (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
http://www.sophos.com/VirusRemoval(link is external) (Windows XP (SP2) and above)
http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network(link is external) (Windows XP, Windows Vista and Windows 7)
http://www.trendmicro.com/threatdetector(link is external) (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)
FireEye and Fox-IT
www.decryptcryptolocker.com(link is external) FireEye and Fox-IT have created a web portal claiming to restore/decrypt files of CryptoLocker victims. US-CERT has performed no evaluation of this claim, but is providing a link to enable individuals to make their own determination of suitability for their needs. At present, US-CERT is not aware of any other product that claims similar functionality.
The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.
- GOZ has been associated with the CryptoLocker malware. For more information on this malware, please visit the CryptoLocker Ransomware Infections page.
- Initial Publication – June 2, 2014
- Added McAfee – June 6, 2014
- Added FireEye and Fox-IT web portal to Solutions section – August 15, 2014
John Sileo is an an award-winning author and keynote speaker on cyber security and data breach. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.