GOZeuS and CryptoLocker: What are they and how to protect your business

(Ping! Zine Web Tech Magazine) – Gameover ZeuS (GOZeuS) is a piece of malware which has the sole aim of stealing large amounts of money. Therefore, it has been targeted at businesses both small and large (in August 2012 it was estimated that 600,000 systems in Fortune 500 companies were infected) resulting in millions of pounds worth of theft and fraud.

The National Crime Agency (NCA) has been working on a unique global collaboration called ‘Operation Tovar’ to combat the machinations of the GOZeuS (a.k.a. PSPZeuS) botnet, as well as the users of the CryptoLocker ransomware. The latter is often used if the initial GOZeus attack doesn’t work. This sortie on the botnet is a collaborative effort between the NCA, FBI and Europol, security firms such as Trend Micro and MacAfee and researchers at VU University Amsterdam and Saarland University in Germany.

Operation Tovar has apparently now disrupted this peer-to-peer network by having ISPs redirect traffic that the botnet is known to use for command and control communications. It then obtains the IP addresses of those machines or networks that are infected before contacting their owners to ask them to remove any malware. This is done in conjunction with security companies and authorities.

The NCA expects that this will leave one to two weeks where users have a chance of removing the malware. This needs to be done quickly because if the malware isn’t removed, then the attackers can simply use their root access to the machines to install an updated version of the botnet.

What do Gameover Zeus and CryptoLocker do?

They are in fact two very different Trojans.

GOZeuS started life as the ZeuS Trojan; malware that was used extensively in online banking attacks, but was sold as a ‘botnet creation kit’ to anyone who had a few thousand dollars to spend. In October 2011 GOZeuS emerged, but unlike ZeuS it was controlled by a core group through a peer-to-peer network, removing the centralised command and control of the original ZeuS, and allowing them to distribute updates dynamically, as well as making it very hard to disrupt.

GOZeuS will typically be spread through links or attachments in emails suggesting they contain invoices or voicemails; these are being generated by other users infected with the GOZeuS Trojan who don’t realise they are infected.

Once GOZeuS has found its way onto a victim’s computer it will attempt to steal information. It’s been used successfully to acquire credit card numbers, online banking details and login credentials for a wide variety of systems, in total netting the administrators of the botnet millions of pounds.

The malware injects itself into legitimate Windows processes to maintain persistence, and also hooks system and browser functions to install ‘fake’ content into a user’s browser to conceal fraudulent activity.

This is a highly effective method of attack on a small business when a criminal wants to transfer large sums from their account, but needs to remain hidden until the transfer is confirmed. It works because the user will ‘see’ whatever the criminal wants them to see on their screen, while they are free to change the amount of a transfer and the account it is going to (theirs!).

CryptoLocker isn’t quite as sneaky; it’s usually installed by GOZeuS if an initial attempt to steal funds has failed and will display a warning that unless you hand over a sum of money then CryptoLocker will encrypt all your data on the system.

Once encrypted, CryptoLocker will generate a pop-up demanding an even higher ransom to get access to the private key which can decrypt your files. The malware uses public key cryptography algorithms to encrypt the files. Once the machine is infected, the key is generated and the private key is sent to the attacker’s server. There is usually 72 hours before the CryptoLocker server is supposed to destroy the private key, making the files unrecoverable.

Businesses with shared drives for file storage should be particularly vigilant as CryptoLocker will encrypt any drive it can see, including mapped network drives. Even your file server itself could also be infected if it doesn’t have adequate anti-virus protection installed which also scans any shared files.

How to protect your network

  1. You should already be making sure that you have the latest updates for your computer installed. Also run a full system scan with an up-to-date antivirus program.
  2. In addition I’d recommend one of the free tools being distributed by the security companies to scan and remove these threats specifically. Trend Micro has its ‘Clean’ tool available at www.trendmicro.com/threatdetector. McAfee also has a ‘Stinger’ tool which can be run from http://www.mcafee.com/stinger. Both of these will remove the GOZeuS, CryptoLocker and most other malware threats on your machine.
  3. You should also be very careful about any emails you receive claiming to be from your ISP, or the Police, NCA or FBI, asking you to click on a link or open an attachment to run a tool which will remove GOZeuS. These emails could also come from someone you know, but will have been sent by any malware installed on their PC. If this does happen, delete the email and then get in contact with the sender asking them to run the above tools.
  4. Likewise, be careful about any pop-up or pop-under browser windows which claim to have detected this, or any virus/malware/problem on your machine; they will typically look like an anti-virus program with a ‘Scan’ or ‘Fix’ button. Clicking this will either download a file to your PC that contains malware asking you to run it, or it will try to exploit a vulnerability in your browser to install itself. A good (genuine) anti-virus program should catch this, but always download files from an official site where possible.


There is only a short window to make sure this malware is removed from your systems. Since news of the global attack on the GOZeuS botnet first leaked through a blog post posted on the McAfee website on Friday, 30 May (which was then removed a few hours later but reposted once the story had been reported), it has been picked up by global news media along with further announcements from the NCA, FBI and Microsoft on their efforts to clean up the GOZeuS botnet.

The group operating the botnet will obviously be aware of this and they will be taking immediate steps to re-establish control. Once that is done it is likely that any remaining parts of the botnet will be changed with new attack vectors, new ways to hide from users and new methods of communications, so it is imperative that you scan your systems NOW.


About the author

David Barker is the technical director of 4D Data Centres, the colocation and connectivity supplier for small businesses in the South East of England.

In 2013, he re-launched 4D Hosting with a focus on providing premium hosting packages and 24/7 support from its own engineers to technology companies, developers and geeks.

Tweet him on @David_4D.