One-click test finds Gameover Zeus infections
Researchers from F-Secure created a Web page to test if computers are infected with the Gameover Zeus Trojan program
By Lucian Constantin | Published: 12:06, 10 June 2014
Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.
The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware's aggressive URL matching algorithm.
Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware's configuration file.
For example, to steal log-in credentials for Amazon.com or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?://.*?amazon..*?/.*?. However, this regular expression matches not just Amazon sites, but any URL that has "amazon" in it, including https://www.f-secure.com/amazon.com/index.html.
"We can use this to 'trick' Gameover bots and make an easy check to see if an infection is present in your browser!" said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.
Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.
"We search for the string 'LoadInjectScript'," Tikkanen said. "If the string is found on the page, we know Gameover Zeus has infected your browser!"
The test is not perfect though, because the malware doesn't support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.
F-Secure also provides a free online scanner that is capable of detecting and removing the threat.
Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.
According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.
The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it's possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.