RSA Admin

UPDATED! New Detections! GameOver Zeus and How to Detect It

Blog Post created by RSA Admin Employee on Apr 22, 2014

The RSA FirstWatch Team has seen an increase of the GameOver Zeus variants submitted to our malware database over the past few weeks.  Here is the trendline.




The GameOver Zeus variant uses an encoded secondary file download that is decrypted by the initial infection file on an affected host.  This encoded download is actually an executable, but typical file fingerprinting-  looking for the MZ at the beginning of the file, as many gateway products do, such as NextGen firewalls, IDS/IPS, etc will not typically stop this file type from being delivered to the endpoints.  A great blog detailing the encryption scheme is located here.

When GameOver first appeared, these secondary download files typically had a .ENC filename extension.   However, as of late, the extension has become randomized.  In the screenshot below, you can see the pattern of these filename extensions and directory structure.



So you can see the pattern of the 6 character alphanumeric filename followed by the randomized extension.  Also, you can see that many of these files are hosted on WordPress blog sites that were likely compromised at the beginning stages of the GameOver campaign to host these downloads.  Why pay for a Content Delivery Network (CDN) when you can make your own from vulnerable webhosts?


Below is a sample session from Security Analytics so you can see what happens on the network.  As you will see, there is a marker at the beginning of the file-  the distinctive "ZZP." which is unique to these GameOver sessions.  This tells us that it is possible to fingerprint these filetypes by looking for that marker as a token with a parser.




There is one additional piece of meta that is common to every GameOver variant detected-  It's simple and distinct User-Agent string.




So detecting this threat uses three approaches-  two application rules and one new parser.  The rules are:


GameOver Zeus Installer Detected

client='Updates downloader'


Possible GameOver Binary Downloaded

extension='enc' && directory begins '/wp'


But should the UA string ever change with a new GameOver variant, the LUA parser attached below will find the token "ZZP" mentioned above.  We have also added a few dozen known GameOver Download domains to the FirstWatch Threat feeds.  And finally, a sample PCAP is also attached so analysts can see what this activity looks like and to test the attached parser.


So check your environments for the past few months using these rules/queries above to see if you have been affected by GameOver.  And Happy Hunting!



This, like other malware, evolves over time.  The dropper file that was faithfully detected by the parser below has changed, although the extensions are still rar, zip, tar, etc.  However, we have observed new User-Agent strings for communications and you should update your capture rules to include the following:

client='onlymacros','opera10','update sdb','conchita wurst','acheckupdate'