Gameover for P2P Zeus?


Over the past few days you may have spotted headlines in the press that appear to claim the UK has two weeks to save itself from a massive cyber attack. You may be asking: what is this threat, and what is the University doing about it? Excellent questions, but let’s start from the beginning.

On the 2nd of June the UK National Crime Agency announced that it had, as part of an international collaboration, disrupted the Gameover Zeus botnet (aka GOZeus or P2PZeus), hindering the ability of infected machines to communicate with one another or the criminals behind the botnet.

What is Gameover Zeus?

Gameover Zeus is malware that allows criminals to completely control an infected computer. It’s typically used to steal online banking credentials and has also been used to spread Cryptolocker ransomware.

Once a computer is infected (usually via a malicious email attachment or by visiting a website that drops malware) it will attempt to join a peer-to-peer network of other compromised machines. Becoming a bot in the botnet.

Instructions from the botherders (criminals who run the botnet) are passed to the bots via the p2p network, effectively masking the location of the command and control infrastructure. Stolen information is passed back from the bots in the same way. This greatly frustrates any attempt to shutdown the botnet, take out one C&C server and another will spring up and join the network.

Instructions from the botherders are cryptographically signed. Otherwise it would be possible to impersonate a C&C server and send out an instruction to have the malware deactivate itself. That would be nice, but life’s not that easy.

zeus p2p botnet

Simplified diagram of the Gameover Zeus botnet
Clipart courtesy of

What happens in two weeks time?

Details are scarce as to exactly how the takeover has been achieved and the NCA cautions that the bad guys are likely to regain control soon. However, they estimate that we have a grace period of approximately two weeks before the Gameover botnet comes back into use.

The NCA is encouraging everyone to use this time to extricate existing Gameover Zeus infections and also to ensure their machines are as resilient as possible.

Potentially once the criminals regain control they may make a concerted effort to infect more machines. They may also seek to update their malware to prevent this happening again, without more details about the take down it is difficult to guess.

What is the University doing about this?

OxCERT have been tackling Zeus malware in its various forms since approximately 2008 and we will be looking into what we can do to detect even more infections in the future.

We welcome the increased attention on Zeus, which is – and always has been – a serious problem. However we are unlikely to be in a much worse situation in two weeks time then we were before the take down.

For now our advice remains the same, ensure you use supported operating systems and software (and keep them up to date). Install an appropriate anti-virus, again, keeping it up to date. Most importantly of all, remain vigilant; particularly beware of unsolicited emails with attachments or web links.

Also bear in mind that unscrupulous individuals may seek to take advantage of the public anxiety surrounding Zeus. If you receive a notification that you are infected please take a moment to verify the source of the information.

Jim Linwood

Jim Linwood

To Summarise 

Zeus is a serious global problem and we’re pleased to see an international effort to tackle it. But in the mean time, stay safe and don’t panic.

Posted in General Security | Comments Off on Gameover for P2P Zeus?

Comments are closed.