At the beginning of 2012, we wrote about the emergence of a new version of ZeuS called ZeuS-P2P or Gameover. It utilizes a P2P (Peer-to-Peer) network topology to communicate with a hidden C&C center.This malware is still active and it has been monitored and investigated by CERT Polska for more than a year. In the second half of 2012, it directly affected the Polish users, namely that of internet banking.
One of the distinguishing features of Gameover compared to other mutations of the “ZeuS” family is the presence of only one instance of the botnet. Standard ZeuS and its successor, Citadel were sold as so called “crimeware toolkits”, which is a kind of self-assembly kit. Each purchaser had to set up his own instance of a botnet. That also meant infecting computers, collecting stolen information and giving instructions. ZeuS-P2P is not being sold that way. Instead, there is only one instance of it, hence one botnet.
This report contains information that should enable the average user to understand the nature of the threat, and show how one can identify an infected computer. More advanced users or malware analysts should also find some additional insight. Detailed description of the protocol and large sections of reconstructed code should explain the technical aspects of the P2P network and its capabilities.
