Pierluigi Paganini March 27, 2014

Security experts at F-Secure have detected a new variant of Gameover ZeuS financial Trojan which is targeting recruitment websites.

Zeus Trojan is probably one of the most prolific and long-lived malware, security firms have discovered in the last years numerous variant even more sophisticated. After the public release of it source code, principal security firms have detected new complex variants exploiting P2P protocol, using Tor Network to hide C&C servers or adopting encryption to make the malicious agent more resilient. In the last weeks it was discovered also a variant designed to hit Software-as-a-service (SaaS) which implements a web-crawling feature to obtain access to proprietary data or code from Salesforce.com customer’s CRM instance.The last campaign based on a new variant of GameOver Zeus Trojan discovered by F-Secure targeting users of popular employment websites. The author of the malware adopted a classic social engineering scheme to deceive victims into providing additional private information. The information collected with this stratagem could be used by cybercriminals to bypass multi-factor authentication mechanisms implemented to process the access to numerous web services, including online banking.GameOver Banking Trojan is one of the numerous variants of Zeus malware available on the market, is very flexible and security experts have already documented its use of numerous illicit activities including banking frauds and Distributed Denial of Service attacks. Zeus malware was one of the first malware using Man-In-The-Browser (MITB) attack, the malicious agent through the web injection alters the user’s perception of browser content hiding the attack to the victims. The injection was also used to circumvent two factor authentication processes.

The last version of Zeus GameOver Banking Trojan has targeted the popular recruitment websites CareerBuilder.com and Monster.com using the same scheme, users are served with the fake login page quite similar to the legitimate one, but once the victim login, they are hijacked to the web page injected by the malicious code. At this point the malware proposes to the victims 18 different security questions to choose from, the questions are requested via an injected form and a cookie called “qasent” is spawned by the process. 

• In what City / Town does your nearest sibling live?
• In what City / Town was your first job?
• In what city did you meet your spouse/significant other?
• In what city or town did your mother and father meet?
• What are the last 5 digits / letters of your driver\’s license number?
• What is the first name of the boy or girl that you first dated?
• What is the first name of your first supervisor?
• What is the name of the first school you attended?
• What is the name of the school that you attended aged 14-16?
• What is the name of the street that you grew up on?
• What is the name of your favorite childhood friend?
• What is the street number of the first house you remember living in?
• What is your oldest sibling\’s birthday month and year? (e.g., January 1900)
•  What is your youngest sibling\’s birthday?
• What month and day is your anniversary? (e.g January 2)
• What was the city where you were married?
• What was the first musical concert that you attended?
• What was your favorite activity in school?

Sean Sullivan, Security Advisor at F-Secure Labs, confirmed that it is hard to precisely count the number of victims because the Zeus Gameover is a P2P botnet.

“It’s a peer-to-peer botnet so it’s tricky to count,” “There is some excellent analysis from Dell SecureWorks, which details about 24,000 Gameover bots, in July 2012. I haven’t seen any attempts to count the entireGameover botnet recently, but I’m sure it’s still in the multiple tens of thousands.” said Sullivan.