Menu
One-click test finds Gameover Zeus infections

One-click test finds Gameover Zeus infections

Researchers from F-Secure created a Web page to test if computers are infected with the Gameover Zeus Trojan program

Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.

The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware's aggressive URL matching algorithm.

Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware's configuration file.

For example, to steal log-in credentials for Amazon.com or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?://.*?amazon..*?/.*?. However, this regular expression matches not just Amazon sites, but any URL that has "amazon" in it, including https://www.f-secure.com/amazon.com/index.html.

"We can use this to 'trick' Gameover bots and make an easy check to see if an infection is present in your browser!" said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.

Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.

"We search for the string 'LoadInjectScript'," Tikkanen said. "If the string is found on the page, we know Gameover Zeus has infected your browser!"

The test is not perfect though, because the malware doesn't support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.

F-Secure also provides a free online scanner that is capable of detecting and removing the threat.

Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.

According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.

The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it's possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags online safetysecurityDesktop securityf-securespywaremalwareantivirusfraud

Slideshows

Meet the leading HP partners in New Zealand...

Meet the leading HP partners in New Zealand...

HP has recognised its top performing partners in New Zealand at the second annual 2016 HP Partner Awards, held at a glittering bash in Auckland. The HP Partner Awards recognises and celebrates excellence, growth, consistency and engagement of its top partners. This year also saw the addition of several new categories, resulting in 11 companies winning across 11 award categories.

Meet the leading HP partners in New Zealand...
Channel comes together as Ingram Micro Showcase hits Auckland

Channel comes together as Ingram Micro Showcase hits Auckland

Ingram Micro outlined its core focuses for 2017 at Showcase in Auckland, bringing together the channel for a day of engaging keynotes, compelling breakout sessions and new technologies.

Channel comes together as Ingram Micro Showcase hits Auckland
Show Comments