Recently published blog posts:
Go to the blog archive and browse all previous blog posts
we have published so far.
Subscribe to the GovCERT.ch blog RSS feed to stay up to
date and get notified about new blog posts.
Recently published whitepapers:
Subscribe to the whitepapers RSS feed to stay up to date
and get notified about new whitepapers.
Report an incident:
The following email address can be considered as point of
contact for FIRST members and other
Published on June 2, 2014 15:20 UTC by GovCERT.ch (permalink)
Last updated on June 2, 2014 15:29 UTC
Today, the U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) announced the takedown of two botnets: GameOver ZeuS (GOZ) and CryptoLocker. Both botnets have been around since quite a while and were also present in Switzerland, infecting computers in order to commit ebanking fraud or to blackmail Swiss citizens. GovCERT.ch has been aware of GameOver ZeuS (which is also known as P2P ZeuS) for years and has already taken measures against this threat together with Swiss Internet service providers since July 2013.
One of the easiest ways to detect the presence of GOZ in your network is by using an Intrusion Detection or Prevention System (IDS/IPS). There are many commercial and non-commercial IDS/IPS products around. Two of the most widely used IDS/IPS are Snort and Suricata, which are both open source. Further more Snort/Suricata rules can be easily imported into commercial IDS/IPs products. One of the largest set of Snort/Suricata rules is provided by Emerging Threats (ET), but you can of course write your own rules as well.
ET provides several rules which are aimed to detect GOZ flows in your network stream. If you are already running either Snort or Suricata, or you are planing to do so, you might want to take a look at the following ET rules:
Another possibility to detect GOZ botnet C&C traffic is to check the log files of your outgoing firewall. In order to communicate with the botnet operator, GOZ infected computers are using a sophisticated P2P mechanism. An infected computer will communicate with other GOZ infected computers in the internet using TCP and UDP high ports (1024 and higher). Hence if you have a computer in your network that is infected with GOZ, you will likely see a high amount of TCP and UDP drops to different IPs in the internet on high ports on your outgoing firewall.
Once you identified an infected computer, you should re-install the operating system. GOZ usually comes with an additional piece of malware to the victims computer, e.g. with the Necerus Rootkit. So even if you scan the affected computer with an up to date anti-virus software, you will never be sure if your anti virus was able to catch everything.
In case that you are not able to re-install the operating system, we have written a malware removal guide for you which is available in different languages:
Instructions for removing malware (English)
Anleitung zur Entfernung von Schadsoftware (English)
Instructions relatives à la suppression des maliciels (French)
Guida per l’eliminazione di software nocivi (Italian)
Back to top