GOZ – Is it game over, Zeus?


Zeus is a highly sophisticated family of Trojans that seeks to steal banking information and accounts from victims. Zeus targets popular operating systems such as Windows and Android and is usually distributed to end-users through social engineering tactics such drive-by downloads and phishing emails. Although Zeus was discovered back in 2007, it remains popular by introducing new variants to the market via Trojan-building toolkits that can be easily purchased online. One Zeus variant, known as Gameover Zeus (or GOZ) gained further popularity by its ability to distribute the Cryptolocker ransomware (See: Defeating Cryptolocker with ThreatCloud and Gateway Threat Prevention). GOZ differentiates itself from other Zeus variants as it uses an encrypted peer-to-peer communication between the infected device and its C&C server, making its communication resilient and stable.


GOZ’s communication is encrypted and uses various ports over UDP and TCP. Yet, by using heuristic network signatures to identify the protocol, the Check Point Anti-Bot Software Blade can detect GOZ, and prevent potential attacks by stopping the communication between the infected device and the C&C servers. In addition, the combination of activities that GOZ generates is identified by Check Point Emulation Services as malicious behavior.

So, is it game over?

Check Point has been tracking the presence of GOZ since mid-2013 – to prevent infections and alert security administrators of infected devices.

The image below represents the number of infected devices worldwide, as reported by Check Point Security Gateways that use the Anti-Bot Software Blade to detect and prevent bot communications. As seen, the number of devices infected by GOZ is increasing steadily over time.


Zeus has managed to keep evolving, produced new variants over the course of time, and has only been defeated by certain combinations of security solutions which leads us to believe that Zeus is here to stay.

Protecting your organization from this type of attack

All Organizations

  • Educate users to be alert to unusual attachments or suspicious links. Malware often propagates via phishing campaigns, in which the recipient receives an email with a malicious file or link to a page containing browser-based exploits.
  • Ensure that all available OS and application patches are installed, as GOZ and many other malware initially install themselves on a computer by exploiting a known vulnerability in the operating system or common applications such as Microsoft Word or Adobe Reader.
  • Perform regular backups of all critical data and store them offline to prevent attackers from mapping and also infecting external drives.

Check Point Customers

  • Customers who have enabled the Anti-Bot and Antivirus Blades on their Check Point gateways automatically receive updated detections for GOZ through ThreatCloud. Check Point’s Threat Emulation Service protects from GOZ running the file in a sandbox and classifying it as malware.

Non-Check Point Customers 

  • Monitor for domains and communication patterns that are used by the GOZ agent. Your antivirus or gateway security vendor should provide you with a list communication patterns, as well as a way to obtain updated list of addresses and communication patterns to block.

Appendix 1: Network Analysis

The figure below shows a typical UDP session initiated by a machine infected with GOZ with a fellow peer: Graphic-TCC-GOZ_Appendix 1 The next figure shows that dozens of such UDP session are created per minute from an infected machine. Graphic-threatcloudcentral-GOZ_Appendix_2 Because most of the peers in the GOZ botnets are infected machines that may have been cured after a while, some of the peers will not send back a response. If a proper response was received, the bot starts to communicate with his fellow peers on TCP as well, as shown in the figure below. Graphic-ThreatCloudCentral-GOZ_Appendix_3 The next figure shows that similar to the UDP sessions shown above, dozens of such TCP sessions are made per minute from an infected machine as well after at least one peer responded to a UDP request. Graphic-TCC-GOZ_Appendix_4

Appendix 2: GOZ Sandboxing Analysis

The GOZ samples we have tested display several behaviors that are characteristic to malwares including affecting other processes on the infected machine, creating suspicious files and changing registry values. The following figure shows the emulation report on a sample of GOZ.