FBI Alert - Game Over Zues

FBI Alert - Game Over Zues

February 18, 2015 - InfraGard

Gameover Zeus (GOZ), a peer-to-peer variant of the well-known banking Trojan Zeus, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command and control of victim computers. GOZ is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim's computer. To date, GOZ activity has led to the loss of millions of dollars through fraudulent Automated Clearing House (ACH) transactions and wire transfers. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial of service (DDoS) attacks.

Spearphishing campaigns are often associated with the GOZ infection lifecycle. These campaigns are established as an initial vector to compromise targeted systems with a loader program, which subsequently allows the infected host to download larger, malicious payloads. Effected systems often remain undetected in an organization's network for months or even years.


Cryptolocker (CL) is a ransomware variant that encrypts files on the infected computer, holding it ransom until the victim pays the requested amount. The victim typically has seventy-two (72) hours to pay the fine in order to receive the key to decrypt the files.

The splash page associated with Cryptolocker states all important files on the computer have been encrypted, which includes photos, videos, and documents. It also states that the encryption was produced using a unique public key RSA-2048 generated for the victim's computer and to decrypt the files the victim must obtain the private key. It further goes on to state that the single copy of the private key, which would allow the victim to decrypt the files, is located on a secret server on the Internet and the server will destroy the key after a specified amount of time.