The Shadowserver Foundation

Gameover Zeus

On Monday June 2nd 2014, the US Department of Justice announced an ongoing operation to take down the infamous Gameover Zeus and CryptoLocker cybercrimal botnet infrastructures. “Operation Tovar” is a joint effort between international law enforcement agencies, such as the FBI, UK NCA and Europol/EC3, plus multiple private partners. The actual botnet take over occurred on Friday May 30th 2014 and is still ongoing as an active operation. The Shadowserver Foundation has participated by providing operational infrastructure and gathering data on infected clients for the purposes of victim notification and remediation.

A full description and history of Gameover Zeus can be found on our blog.

You can obtain free nightly reports for your networks by signing up for them here.

Am I infected?

You can check to see if you are infected with Gameover Zeus by looking at: https://goz.shadowserver.org/gozcheck/.

Statistics

The statistics shown below are a combined total of the the unique IPs that were seen connecting to the Gameover Zeus infrastructure via:

  1. P2P layer (peer) communications.
  2. HTTP proxy communications.
  3. Fallback DGA (domain generation algorithm) communications.

If you would like daily statistics please take a look at: https://goz.shadowserver.org/stats/.


Unique Gameover Zeus IPs (DGA+Peer+Proxy)

(Click image to enlarge)

If you would like to see more regions click here

Unique Gameover Zeus IPs (DGA only)

(Click image to enlarge)

If you would like to see more regions click here

Unique Gameover Zeus IPs (Peer only)

(Click image to enlarge)

If you would like to see more regions click here

Unique Gameover Zeus IPs (Proxy only)

(Click image to enlarge)

If you would like to see more regions click here

Unique Gameover Zeus IPs (DGA+Peer+Proxy)

(Click image to enlarge)

Unique Gameover Zeus IPs (DGA only)

(Click image to enlarge)

Unique Gameover Zeus IPs (Peer Only)

(Click image to enlarge)

Unique Gameover Zeus IPs (Proxy only)

(Click image to enlarge)


All Gameover Zeus Connections (DGA+Peer+Proxy)

(Click image to enlarge)

All Gameover Zeus Connections (DGA only)

(Click image to enlarge)

All Gameover Zeus Connections (Peer only)

(Click image to enlarge)

All Gameover Zeus Connections (Proxy only)

(Click image to enlarge)



The Shadowserver Foundation is a non-profit organization that provides infection notification and remediation information for many types of computer security threats. If you are a hosting provider, internet provider or a CERT with a constituency you can sign up to receive free nightly reports on your networks.

Copyright © 2014 · All Rights Reserved · The Shadowserver Foundation