Menu
One-click test finds Gameover Zeus infections

One-click test finds Gameover Zeus infections

Researchers from F-Secure created a Web page to test if computers are infected with the Gameover Zeus Trojan program

Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.

The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware's aggressive URL matching algorithm.

Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware's configuration file.

For example, to steal log-in credentials for Amazon.com or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?://.*?amazon..*?/.*?. However, this regular expression matches not just Amazon sites, but any URL that has "amazon" in it, including https://www.f-secure.com/amazon.com/index.html.

"We can use this to 'trick' Gameover bots and make an easy check to see if an infection is present in your browser!" said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.

Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.

"We search for the string 'LoadInjectScript'," Tikkanen said. "If the string is found on the page, we know Gameover Zeus has infected your browser!"

The test is not perfect though, because the malware doesn't support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.

F-Secure also provides a free online scanner that is capable of detecting and removing the threat.

Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.

According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.

The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it's possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityfraudmalwarespywareonline safetyantivirusf-secureDesktop security

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments