FBI Warns: GameOver

Tuesday, January 10, 2012

Kevin McAleavey


Last Friday, the FBI published a warning about a new backdoor trojan called "Gameover", the latest variant of the "Zeus" family of banking trojans that comes with several new surprises.

What makes this one different from previous variants is that it primarily targets business finance and adds a new means of defeating attempts to mitigate the fraud once it takes hold: DDOS attacks on the victims.

The DDOS attacks can bring corporate and small business internet connectivity to a halt in addition to the potential financial damage. The significant part of the DDOS angle is that it serves as a diversion for IT while the looting continues, and prevents access to mitigation with the company's bank until it's too late. That's what motivated the FBI to put out this alert.

Gameover begins as a phishing scheme with spam e-mails, allegedly from the National Automated Clearing House Association (NACHA), the Federal Reserve Bank, or the Federal Deposit Insurance Corporation (FDIC) that leads to malware infection and eventual access to the victim's bank account.

Quoting from the FBI warning linked above:

The malware is appropriately called "Gameover" because once it's on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it's definitely "game over."

How the scheme works: Typically, you receive an unsolicited e-mail from NACHA, the Federal Reserve, or the FDIC telling you that there's a problem with your bank account or a recent ACH transaction. (ACH stands for Automated Clearing House, a network for a wide variety of financial transactions in the U.S.) The sender has included a link in the e-mail for you that will supposedly help you resolve whatever the issue is. Unfortunately, the link goes to a phony website, and once you're there, you inadvertently download the Gameover malware, which promptly infects your computer and steals your banking information.

After the perpetrators access your account, they conduct what's called a distributed denial of service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution's server with traffic in an effort to deny legitimate users access to the site - probably in an attempt to deflect attention from what the bad guys are doing.

Brian Krebs, on his "krebsonsecurity" site observes:

In several recent attacks, as soon as thieves wired money out of a victim organization's account, the victim's public-facing Internet address was targeted by a network attack, leaving employees at the organization unable to browse the Web.

Organizations that bank online should understand that they are liable for any losses stemming from cyber fraud. I have consistently advised small to mid-sized entities to consider using a dedicated computer for online banking - one that is not used for everyday Web surfing - and preferably a non-Windows system, or a "live CD" distribution.

In other words, businesses which are "windows bound" might consider using (tooting my own horn once again) our own KNOS operating system, or a Linux-based system, or cobble together a Windows computer for their financial people which is never used for surfing in order to mitigate the risks of this dangerous malware.

Like so many other dangerous exploits and malware, once again the target is Windows-based systems that are used for internet access as well as business use, but "Gameover" goes far beyond the level of mayhem commonly found in ordinary day to day infections, and poses a particular risk to smaller operations without their own security "geeks" at the ready. Now that the criminals have honed their skills, they're turning to the weakest link in businesses in order to rack up their cash flows.

And if I can take an extra second to "hawk our wares" since we advertise here on the Island, a major advantage to our KNOS operating system is that it's ready to deploy with zero configuration, nothing to install, it's ready to run as soon as you burn your DVD for deployment in under an hour. We can also assist in burning KNOS to a USB stick or even to a dedicated hard disk on your client machines.

Situations like this are precisely what we designed KNOS for, it's a "complete computer on a puck" and is familiar and friendly to non-technical end users and uncomplicated as is typically not the case with Linux CD's. Just wanted to mention that in case anyone is nervous about those "weakest links" in their user base. :)

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) in Albany, NY and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
Viruses & Malware
Information Security
Denial of Service malware FBI Zeus DDoS Alert trojan Game Over
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.