Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Zeus GameOver

Nick Griffin, Elad Sharf, Ran Mosessco | June 9, 2014
In this blog, we illustrate some key metrics about Zeus GameOver.

United States               97.587%
United Kingdom        13.505%
Italy         9.960%
Malaysia         6.086%
Canada         5.173%
Mexico         3.054%
Jordan         2.619%
Turkey         2.615%
Costa Rica         2.168%
New Caledonia         2.137%

The next heatmap video shows how dominant the GameOver variant has been in April and May of this year.

Interestingly (and you might say very much expected), the main target of Zeus GameOver campaigns has been the financial industry, with a trend towards targeting victims at companies in the pension management sector of the financial industry.

Retirement & Pension Management                72.072%
Education         55.193%
Services         15.072%
Manufacturing        13.431%
Finance, Insurance & Real Estate         11.803%

Case Study

Here's a recent example of an email attack stopped by Websense Cloud Email Security (CES). The attack tried to entice victims to open a ZIP attachment containing the Upatre downloader on their computer, which would later infect the users with Zeus GameOver.

Websense ThreatScope behavioral analysis recognizes Upatre as malicious:

The target URL containing the encrypted binary is categorized as MWS, therefore stopping the infection before Zeus GameOver even gets to the victim's computer:


Websense customers are protected with ACE™, our Advanced Classification Engine, at the stages detailed below:
•    Stage 2 (Lure) - ACE has proactive detection for the email lures.
•    Stage 4 (Exploit Kit) – ACE has detection for the malicious code that attempts to execute this cyber-attack. This stage may or may not exist, lately exploit kits have fallen out of favor with the criminals behind Zeus GameOver.
•    Stage 5 (Dropper Files) – ACE has detection for the binary files associated with this attack. Additionally, ThreatScope behavioral analysis classifies the binary's behavior as malicious or suspicious.
•    Stage 6 (Call Home) – Communication to the associated C&C server is prevented.


GameOver has been around for several years, and since its inception has been a challenge for the security industry to defend against, because different variants have appeared, and also because its source code was leaked. Websense researchers recommend utilizing a strong email security product, which will proactively block campaigns and prevent infection from GameOver from ever happening. The Websense® ThreatSeeker® Intelligence Cloud has seen a notable increase in its activity over the last two months leading up to the takedown of GameOver, and continue to monitor closely.


Previous Page  1  2 

Sign up for Computerworld eNewsletters.