Cyber Security Blog

GameOver Zeus P2P Malware: The Bad, The Ugly… and The Solution

October 22nd, 2014 by Menachem Perlman

Spear phishing imageThose who’ve been in the network security field for a while can remember when mainstream media headlines about cyber attacks were the exception, not the norm. How times have changed! Now, it seems that every week the spotlight shines on yet another major malware campaign, such as one involving the now infamous new Gameover Zeus (NGOZ) botnet.

New GameOver Zeus typically spreads through Spear Phishing emails and is designed to steal banking credentials from unsuspecting victims. However, whereas other variants of the Zeus family of malware use a centralized command and control infrastructure, New GameOver Zeus uses a massive peer-to-peer (P2P) network of compromised hosts. This not only enables it to evade detection, but it makes attributing the attack virtually impossible.

p2p communication

However, while New GameOver Zeus is currently making headlines around the world, it’s hardly the first time that hackers have used P2P networks in their attacks. Conficker (a.k.a. Downadup) reared its wormy head in 2008, and the latest variation — Conficker C — exploits P2P networks to increase the speed at which it carries out a variety of insidious activities, which include opening a door for remote access.

So, given that hackers have been using P2P communications for the last few years as a kind of cyber expressway on their victims, it would be reasonable to assume that all current network security tools have the inherent capacity to stop them. Surprisingly however, this isn’t the case.

The fact is that most current network security tools aren’t designed to examine internal network traffic. Instead, they presume that all internal traffic is safe, and as such they focus on inspecting files, or analyzing incoming or outgoing traffic. Still other tools scan for command and control channels based on reputation (i.e. known IP addresses and hosts), or concentrate on sandboxing.

However, as New GameOver Zeus continues to demonstrate that the presumption that all internal traffic is categorically safe is a huge mistake; one that plays right into the hands of hackers, whose only anxiety at this point is likely the disconcerting ease at which their attacks are succeeding (and perhaps the decadent dilemma of not knowing what to do with all of their stolen money).

The reality is that enterprises must treat their internal traffic with the same scrutiny as all other potential threat vectors. And really, scenarios that justify such caution are easy to imagine – even a little mundane. For example, employees who use their personal laptop at work (“BYOD”) go home in the evening and potentially expose their device to all kinds of malware. When they show up the next day and log back into the network, how can enterprises that overlook internal traffic detect such threats?

And on the other extreme, enterprises that attempt to investigate each new BitTorrent packet quickly discover that their ambitious mission is operationally impossible. Without knowing exactly what to look for (i.e. what distinguishes legitimate BitTorrent activity from illicit BitTorrent activity), their exhausted Incident Response teams would be working 24/7/365 – and they still wouldn’t be able to keep up.

The solution here is not for enterprises to neglect internal network traffic (which is perilous) or manually inspect BitTorrent packets (which is impossible). Instead, they need to adopt a “conversation-based” detection approach that:

  • Passively monitors internal traffic using deep packet inspection
  • Profiles the behavior of each user and endpoint in the network
  • For encyrypted traffic, when DPI (Deep Packet Inspection) isn’t possible, then it should be protocol, port and payload-oblivious, and rely on information obtained from TCP/UDP/IP headers
  • Detects subtle behavior deviations of users and endpoints from their past behavior and peers in the organization
  • Accurately categorizes the specific type of P2P application (regular or botnet) running on a host

With this approach, enterprises automatically and continuously detect stealthy P2P botnet traffic within their network – which isn’t just important for keeping hackers away from their invaluable data. As the resurgence of New GameOver Zeus is demonstrating, on today’s threat landscape, it’s flat-out essential.

Learn more about adopting a “conversation-based” detection approach by exploring LightCyber Magna: the first agentless security product that analyzes network and endpoint communications together with traffic and network behaviors, to supply security analysts with actionable intelligence on real breaches.

One Response to “GameOver Zeus P2P Malware: The Bad, The Ugly… and The Solution”

November 03, 2014 at 6:35 am, Pratik said:

The conversation-based detection approach is indeed quite good for such botnets. Interestingly, I recently published two research papers using this approach ( and, but did not know that you guys had a product out on it ! I would be happy to know of success achieved by you guys in deploying such approaches in enterprise networks…


Leave a Reply

Your email address will not be published. Required fields are marked *