14 DAY TRIAL // Users are provided with a simple way to check if their computers are infected with GameOver Zeus, a threat considered among the most sophisticated to date.
F-Secure developed a clever web page that can search for traces of the infection without having to download or install a software utility. The online scan takes a few seconds to complete and looks for page modifications specific to GameOver Zeus.
At the moment, the GameOver Zeus botnet is no longer controlled by cybercriminals, as a result of Operation Tovar, an international joint effort between government organizations and private companies to cut off communication with the command and control server.
Unlike earlier variants, GameOver Zeus relies on a decentralized system (P2P) that allows infected systems to communicate with one another, a fact that does not ensure a permanent success for Operation Tovar.
This means that cybercriminals could restore the botnet at one point; but, until this happens, users have the possibility to get rid of the threat.
The modus operandi of GameOver Zeus is to monitor the browser's activity for specific pages in order to steal the usernames and passwords.
According to the analysis of the Finnish researchers, the Trojan relies on aggressive regular expressions that enable it to act when specific keywords are detected and injects the page with extra code, which adds new fields on the login page and sends the content to the malicious server.
“Our detection page at www.f-secure.com/gameoverzeus loads a webpage from an address which has the string 'amazon' in it, even though it's just a page from our own site,” said Antti Tikkanen, Director of Security Response at F-Secure Labs.
Moreover, the rep notes “Our page makes GameOver ZeuS think you are going to Amazon, even if you're not! This in turn causes GOZ to add its own code to the webpage. When our 'fake' Amazon page is loaded, it does a 'self-check' and simply searches the page for the modification that GameOver makes.”
This was also the flaw of the malware because it allowed the researchers to create a web page with a bait word for GameOver to inject content into. If the threat-specific code string is detected, then the system is most likely infected.
However, the trick does not work on all systems; F-Secure informs that GameOver can still be present on computers with web browsers it does not support and 64-bit ones. In this case it is recommended to use a full-blown scanning solution that can also remove the infection.