The GOZ Virus Marches On In Japan

A recent call from the US to Japan, informing about the globally widespread computer virus, GameOver Zeus (GOZ), has helped the Japanese authorities in taking a rearguard action. Emerging as the latest challenge for the experts working in cybersecurity, GOZ has already swept off a huge fortune from a number of global banks. The United States, on its part, is leading the international army against GOZ.


Photo: GlebStock / Shutterstock

Believed to have been originated in September 2011, GOZ is now extensively used by cyber attackers to intercept online banking transactions. Recently, the virus was updated which further complicated its removal from the infected system.

GOZ works with a simple yet effective technique. Instead of taking the customer to an authorized webpage of the concerned bank, it redirects them to a forged page which looks exactly the same; and before they know it, their IDs and passwords are submitted to the attackers. This technique has already stolen more than $100 million from customers.

It doesn’t end here. Once infected by GOZ, the said machine is then controlled by the attackers, and is overtaken by the GOZ botnet. This botnet distributes and installs CryptoLocker on computers, jamming the machines and allowing the attackers to demand a payoff in exchange of unlocking it.

The FBI defines GOZ as an “extremely sophisticated type of malware“. Its complex architecture makes it extremely difficult to track the infected machines.

Snifula Trojan

GOZ is not the only threatening news for Japan. The Symantec Security Response team stationed in Japan has come across the Snifula Trojan variant that has already affected over 30 financial institutions in the country.

First coming into the limelight in 2006, this malware uses the MITB (Man In The Browser) technique to take over an individual’s financial accounts.

A further study by Symantec revealed that the malware is most severe in the UK, the country which accounts for 24 percent of the malware’s victims. Germany and Japan come next in the list with a share of 20 percent. The report further highlights that as many as 20 sites belonging to credit card companies in Japan and 17 sites belonging to banking services are listed in the configuration file of the malware.

With the preparations of Tokyo Olympics in full swing, the Japanese Government is trying hard to strengthen its cyber security to avoid any embarrassing situation in 2020.

Fighting Together

While the FBI has initiated a number of anti-malware fights in the past, Japan doesn’t have any such experience. Estimating Japan’s infected sites to account for 20 percent of globally infected systems, the US agencies got in touch with the National Police Agency in Japan to initiate joint efforts against the malware.


Photo: FBI

The Japanese agency was unaware of this malware until notified by the United States. They still remain unsure about the reason behind the malware outbreak in Japan. One reason could be the presence of a large number of online banking customers. Another possible reason could be the availability of sophisticated translation software which enables Japanese people to easily access English spam messages, which infect their machines.

A number of international agencies, including the UK National Crime Agency, are working hand in hand to counter the threats posed by the Cryptolocker ransomware network and GOZ. While GOZ intercepts online financial transactions to siphon off money, Cryptolocker locks critical files on the infected machine and then unlocks them only if a ransom is paid.

As told by the FBI, here is a list of symptoms found on infected computers.

• Slowing down of the computer
• Variable movement of cursor without any input
• Unauthorized financial transactions and logins
• Abrupt appearance of a chat window on the desktop
• Locked up files and demands for ransom to unlock them

Experts are trying to find a way to detect if a computer has been malware-infected so that the user may be able to back up important data before it freezes. Although the operation took off on May 30 and the IP addresses of the affected computers were handed over by late June, it was only on July 18 that the government could come up with an approach to apprise the victims.

One of the major reasons behind this delay, as cited by an Internet service provider, is the large number (155,000) of GOZ infected PCs.

An official from the National Police Agency was critical of this and pointed out that the slow approach would probably enhance the problem.

Japan intends to lead the pack in Asia when it comes to cybersecurity initiatives. The recent outbreak and handling of the GOZ attacks only underlines the significance of international cooperation when it comes to cyber attacks. An efficient and strong cybersecurity is a prerequisite for a sound financial economy.