GOZ – Is it game over, Zeus?
Overview
Detection
GOZ’s communication is encrypted and uses various ports over UDP and TCP. Yet, by using heuristic network signatures to identify the protocol, the Check Point Anti-Bot Software Blade can detect GOZ, and prevent potential attacks by stopping the communication between the infected device and the C&C servers. In addition, the combination of activities that GOZ generates is identified by Check Point Emulation Services as malicious behavior.
So, is it game over?
Check Point has been tracking the presence of GOZ since mid-2013 – to prevent infections and alert security administrators of infected devices.
The image below represents the number of infected devices worldwide, as reported by Check Point Security Gateways that use the Anti-Bot Software Blade to detect and prevent bot communications. As seen, the number of devices infected by GOZ is increasing steadily over time.
Zeus has managed to keep evolving, produced new variants over the course of time, and has only been defeated by certain combinations of security solutions which leads us to believe that Zeus is here to stay.
Protecting your organization from this type of attack
All Organizations
- Educate users to be alert to unusual attachments or suspicious links. Malware often propagates via phishing campaigns, in which the recipient receives an email with a malicious file or link to a page containing browser-based exploits.
- Ensure that all available OS and application patches are installed, as GOZ and many other malware initially install themselves on a computer by exploiting a known vulnerability in the operating system or common applications such as Microsoft Word or Adobe Reader.
- Perform regular backups of all critical data and store them offline to prevent attackers from mapping and also infecting external drives.
Check Point Customers
- Customers who have enabled the Anti-Bot and Antivirus Blades on their Check Point gateways automatically receive updated detections for GOZ through ThreatCloud. Check Point’s Threat Emulation Service protects from GOZ running the file in a sandbox and classifying it as malware.
Non-Check Point Customers
- Monitor for domains and communication patterns that are used by the GOZ agent. Your antivirus or gateway security vendor should provide you with a list communication patterns, as well as a way to obtain updated list of addresses and communication patterns to block.
Appendix 1: Network Analysis
The figure below shows a typical UDP session initiated by a machine infected with GOZ with a fellow peer: The next figure shows that dozens of such UDP session are created per minute from an infected machine. Because most of the peers in the GOZ botnets are infected machines that may have been cured after a while, some of the peers will not send back a response. If a proper response was received, the bot starts to communicate with his fellow peers on TCP as well, as shown in the figure below. The next figure shows that similar to the UDP sessions shown above, dozens of such TCP sessions are made per minute from an infected machine as well after at least one peer responded to a UDP request.
Appendix 2: GOZ Sandboxing Analysis
The GOZ samples we have tested display several behaviors that are characteristic to malwares including affecting other processes on the infected machine, creating suspicious files and changing registry values. The following figure shows the emulation report on a sample of GOZ.