{
	"id": "007a3a19-7641-4e97-a080-b5dc11291c1a",
	"created_at": "2026-04-06T00:19:09.210054Z",
	"updated_at": "2026-04-10T03:21:17.896388Z",
	"deleted_at": null,
	"sha1_hash": "e7ac6cd4712c4483d9664762d49aea86ac51132d",
	"title": "GameOver Zeus P2P Malware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66320,
	"plain_text": "GameOver Zeus P2P Malware | CISA\r\nPublished: 2016-09-30 · Archived: 2026-04-05 20:12:54 UTC\r\nSystems Affected\r\nMicrosoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8\r\nMicrosoft Server 2003, Server 2008, Server 2008 R2, and Server 2012\r\nOverview\r\nGameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware\r\nidentified in September 2011, [1] uses a decentralized network infrastructure of compromised personal computers\r\nand web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in\r\ncollaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this\r\nTechnical Alert to provide further information about the GameOver Zeus botnet.\r\nGOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to\r\nharvest banking information, such as login credentials, from a victim’s computer. [2] Infected systems can also be\r\nused to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service\r\n(DDoS) attacks. \r\nPrior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to\r\nexecute commands. Centralized C2 servers are routinely tracked and blocked by the security community. [1]\r\nGOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs\r\nencryption to evade detection. These peers act as a massive proxy network that is used to propagate binary\r\nupdates, distribute configuration files, and to send stolen data. [3] Without a single point of failure, the resiliency\r\nof GOZ’s P2P infrastructure makes takedown efforts more difficult. [1]\r\nImpact\r\nA system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users'\r\ncredentials for online services, including banking services.\r\nSolution\r\nUsers are recommended to take the following actions to remediate GOZ infections:\r\nUse and maintain anti-virus software - Anti-virus software recognizes and protects your computer against\r\nmost known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).\r\nChange your passwords - Your original passwords may have been compromised during the infection, so\r\nyou should change them (see Choosing and Protecting Passwords for more information).\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-150A\r\nPage 1 of 3\n\nKeep your operating system and application software up-to-date - Install software patches so that attackers\r\ncan't take advantage of known problems or vulnerabilities. Many operating systems offer automatic\r\nupdates. If this option is available, you should enable it (see Understanding Patches for more information).\r\nUse anti-malware tools - Using a legitimate program that identifies and removes malware can help\r\neliminate an infection. Users can consider employing a remediation tool (examples below) that will help\r\nwith the removal of GOZ from your system.\r\nF-Secure       \r\nhttps://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8) \r\nhttps://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP)\r\nHeimdal\r\nhttp://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)   \r\nMcAfee\r\nwww.mcafee.com/stinger  (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)\r\nMicrosoft\r\nhttps://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7,\r\nWindows Vista, and Windows XP) \r\nSophos\r\nhttps://www.sophos.com/VirusRemoval (Windows XP (SP2) and above) \r\nSymantec\r\nhttps://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network\r\n (Windows XP, Windows Vista and Windows 7)\r\nTrend Micro\r\nhttps://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1,\r\nWindows Server 2003, Windows Server 2008, and Windows Server 2008 R2)\r\nFireEye and Fox-IT\r\nwww.decryptcryptolocker.com\r\nFireEye and Fox-IT have created a web portal claiming to restore/decrypt files of CryptoLocker victims. US-CERT has performed no evaluation of this claim, but is providing a link to enable individuals to make their own\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-150A\r\nPage 2 of 3\n\ndetermination of suitability for their needs. At present, US-CERT is not aware of any other product that claims\r\nsimilar functionality.\r\nThe above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or\r\nsupport any particular product or vendor.\r\nGOZ has been associated with the CryptoLocker malware. For more information on this malware, please\r\nvisit the CryptoLocker Ransomware Infections page.been associated with the Cryptolocker malware, for\r\nmore information on  that malware, please visit https://www.us-cert.gov/ncas/alerts/TA13-309A.\r\nReferences\r\n[1] Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus\r\n[3] The Lifecycle of Peer-to-Peer (Gameover) ZeuS\r\nRevisions\r\nInitial Publication - June 2, 2014|Added McAfee - June 6, 2014|Added FireEye and Fox-IT web portal to\r\nSolutions section - August 15, 2014\r\nSource: https://www.us-cert.gov/ncas/alerts/TA14-150A\r\nhttps://www.us-cert.gov/ncas/alerts/TA14-150A\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA14-150A"
	],
	"report_names": [
		"TA14-150A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e7ac6cd4712c4483d9664762d49aea86ac51132d.pdf",
		"text": "https://archive.orkl.eu/e7ac6cd4712c4483d9664762d49aea86ac51132d.txt",
		"img": "https://archive.orkl.eu/e7ac6cd4712c4483d9664762d49aea86ac51132d.jpg"
	}
}