{"id":5750,"date":"2014-06-11T10:00:33","date_gmt":"2014-06-11T14:00:33","guid":{"rendered":"http:\/\/blog.nccomputertech.com\/?p=5750"},"modified":"2014-06-11T10:00:33","modified_gmt":"2014-06-11T14:00:33","slug":"one-click-test-finds-gameover-zeus-infections-on-pcs","status":"publish","type":"post","link":"https:\/\/nccomputertech.com\/techtalk\/2014\/06\/11\/one-click-test-finds-gameover-zeus-infections-on-pcs\/","title":{"rendered":"One-click test finds Gameover Zeus infections on PCs"},"content":{"rendered":"

\"\"<\/a><\/p>\n

Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated online banking Trojan that law enforcement officers temporarily disrupted last week.<\/p>\n

The one-click test was developed by security researchers from antivirus vendor F-Secure and takes advantage of the malware\u2019s aggressive URL matching algorithm.<\/p>\n

Gameover Zeus monitors and injects rogue code into Web browsing sessions when users access banking and other popular websites from infected computers. The targeted sites are determined by regular-expression-based rules listed in the malware\u2019s configuration file.<\/p>\n

For example, to steal log-in credentials for Amazon.com or other Amazon websites the malware monitors if any URLs accessed in the browser match the following regular expression: http.*?:\/\/.*?amazon..*?\/.*?. However, this regular expression matches not just Amazon sites, but any URL that has \u201camazon\u201d in it, including https:\/\/www.f-secure.com\/amazon.com\/index.html.<\/p>\n

\u201cWe can use this to \u2018trick\u2019 Gameover bots and make an easy check to see if an infection is present in your browser!\u201d said Antti Tikkanen, director of security response at F-Secure, in a blog post Monday.<\/p>\n

Tricking an infected PC to “bite”<\/p>\n

Visiting the test page set up by F-Secure from a Gameover-infected computer will force the malware to inject its malicious code into it. The page then performs a check on itself to detect if Gameover-specific code was added.<\/p>\n

\u201cWe search for the string \u2018LoadInjectScript\u2019,\u201d Tikkanen said. \u201cIf the string is found on the page, we know Gameover Zeus has infected your browser!\u201d<\/p>\n

The test is not perfect though, because the malware doesn\u2019t support native 64-bit browsers, so visiting the F-Secure page from such a browser will not detect the infection. Users are therefore advised to perform the test using a 32-bit version of Internet Explorer, Google Chrome or Mozilla Firefox.<\/p>\n

F-Secure also provides a free online scanner that is capable of detecting and removing the threat.<\/p>\n

Law enforcement agencies from multiple countries worked with security vendors to disrupt the Gameover Zeus botnet at the beginning of June.<\/p>\n

According to the FBI, the malware infected over 1 million computers and was used to steal millions of dollars from businesses and Internet users worldwide. It was also used to distribute CryptoLocker, a separate malware threat that encrypts files and asks for a ransom to restore them.<\/p>\n

The Gameover Zeus botnet has a peer-to-peer architecture with no single point of failure, so it\u2019s possible that its operators might attempt to regain control of it in the future. Because of this, users are advised to scan their computers and remove the malware if found as possible.<\/p>\n

via One-click test finds Gameover Zeus infections on PCs | PCWorld<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

Users can test by simply visiting a Web page if their computers have been infected with Gameover Zeus, a sophisticated […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"jetpack_post_was_ever_published":false},"categories":[7,9],"tags":[73,74,142,655,950,1167],"class_list":["post-5750","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-antivirus","tag-antivirus-software","tag-botnet","tag-malware","tag-security-2","tag-virus"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/papNkV-1uK","jetpack-related-posts":[{"id":8453,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/07\/07\/zeusvm-malware-building-tool-leak-may-cause-botnet-surge\/","url_meta":{"origin":5750,"position":0},"title":"ZeusVM malware building tool leak may cause botnet surge","author":"NCCT","date":"July 7, 2015","format":false,"excerpt":"The Internet could see a new wave of botnets based on the ZeusVM banking Trojan after the tools needed to build and customize the malware program were published online for free. The source code for the builder and control panel of ZeusVM version 2.0.0.0 was leaked sometime in June, according\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":3156,"url":"https:\/\/nccomputertech.com\/techtalk\/2013\/08\/09\/hand-of-thief-banking-trojan-doesnt-do-windows-but-it-does-linux\/","url_meta":{"origin":5750,"position":1},"title":"\u201cHand of Thief\u201d banking trojan doesn\u2019t do Windows\u2014but it does Linux","author":"NCCT","date":"August 9, 2013","format":false,"excerpt":"Signaling criminals' growing interest in attacking non-Windows computers, researchers have discovered banking fraud malware that targets people using the open-source Linux operating system. Hand of Thief, which was recently discovered by researchers from security firm RSA, sells for about $2,000 in underground Internet forums and boasts its own support and\u2026","rel":"","context":"In "Linux"","block_context":{"text":"Linux","link":"https:\/\/nccomputertech.com\/techtalk\/category\/linux\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=350%2C200 1x, https:\/\/i0.wp.com\/nccomputertech.com\/techtalk\/wp-content\/uploads\/2013\/08\/hand-of-thief-640x294.jpg?resize=525%2C300 1.5x"},"classes":[]},{"id":7608,"url":"https:\/\/nccomputertech.com\/techtalk\/2015\/02\/12\/virustotal-tackles-the-tricky-false-positives-problem-plaguing-antivirus-software\/","url_meta":{"origin":5750,"position":2},"title":"VirusTotal tackles the tricky false positives problem plaguing antivirus software","author":"NCCT","date":"February 12, 2015","format":false,"excerpt":"VirusTotal, a Google-owned online malware scanning service, is creating a whitelist of products from large software vendors to reduce bad detections by antivirus programs. False positive detections are common in the antivirus industry. They occur when a benign program is wrongfully flagged as malicious due to an overly broad detection\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7150,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/17\/russian-malware-targets-wordpress-users-over-100000-sites-infected\/","url_meta":{"origin":5750,"position":3},"title":"Russian malware targets WordPress users, over 100,000 sites infected","author":"NCCT","date":"December 17, 2014","format":false,"excerpt":"Our blog was not affected...NCCT. A Russian malware dubbed SoakSoak has infected nearly 100,000 WordPress websites since Sunday, prompting Google to blacklist over 11,000 of those domains (the number is increasing), according to a report from cybersecurity firm Sucuri. The malware exploits a previously-known vulnerability in a WordPress plugin called\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":5916,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/07\/08\/attack-on-dailymotion-redirected-visitors-to-exploits\/","url_meta":{"origin":5750,"position":4},"title":"Attack on Dailymotion redirected visitors to exploits","author":"NCCT","date":"July 8, 2014","format":false,"excerpt":"Attackers injected malicious code into Dailymotion.com, a popular video sharing website, and redirected visitors to Web-based exploits that installed malware. The rogue code consisted of an iframe that appeared on Dailymotion on June 28, researchers from security vendor Symantec said Thursday in a blog post. The iframe redirected browsers to\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":7294,"url":"https:\/\/nccomputertech.com\/techtalk\/2014\/12\/29\/beware-fake-the-interview-movie-download-app-is-in-the-wild\/","url_meta":{"origin":5750,"position":5},"title":"Beware: Fake “The Interview” movie download app is in the wild","author":"NCCT","date":"December 29, 2014","format":false,"excerpt":"\"The Interview\" is undeniably the hottest movie of the year, which is a comedy about a plan to kill North Korea's leader, Kim Jong-un. It has also been the most controversial, backed by disputes with hackers threatening theaters who will play the said movie with physical action, and also by\u2026","rel":"","context":"In "Security"","block_context":{"text":"Security","link":"https:\/\/nccomputertech.com\/techtalk\/category\/security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/comments?post=5750"}],"version-history":[{"count":0,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/posts\/5750\/revisions"}],"wp:attachment":[{"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/media?parent=5750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/categories?post=5750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nccomputertech.com\/techtalk\/wp-json\/wp\/v2\/tags?post=5750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}