⚠️ Overview

Gameover P2P is a peer-to-peer botnet and information-stealing malware first identified in 2011 by security researchers at Dell SecureWorks. It is a successor to the Zeus trojan, operated by the cybercriminal group tracked as the Gameover P2P Gang (also associated with Evgeniy Bogachev, indicted by the FBI in 2014). The malware functions as a distributed botnet using a P2P command-and-control protocol to exfiltrate credentials, financial data, and facilitate ransomware delivery (notably CryptoLocker).

🔧 Technical Capabilities

The malware propagates via malicious email attachments (typically PDF or DOC files with embedded macros), drive-by downloads from compromised websites, and secondary malware drops. Its key distinction is the use of a peer-to-peer (P2P) communication network—instead of centralized C2 servers—using a custom XOR-based protocol over UDP on random high ports (e.g., 1024–65535). This makes takedown resilient. Persistence is achieved via registry Run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and installed as a Windows service named "AeLookupSvc" or similar. Evasion includes process injection into explorer.exe and svchost.exe, disabling security software, and using polymorphic code generation. The malware also leverages a domain generation algorithm (DGA) for backup C2 fallback if P2P is disrupted (MITRE ATT&CK T1483, T1574.001).

📜 History & Notable Incidents

Gameover P2P first emerged around 2011, with major campaigns targeting online banking credentials in Europe and North America. In 2014, the FBI and international law enforcement—with assistance from Shadowserver and industry partners—executed Operation Tovar to disrupt the botnet by seizing 31 servers and sinkholing domains, while simultaneously blocking P2P communication. The malware was used to distribute CryptoLocker ransomware, which alone extorted an estimated $3 million from victims (CVE-2013-6273 is associated with a related exploit). High-profile victims included small businesses, healthcare organizations, and government agencies. Indictment of Evgeniy Bogachev in 2014 remains unresolved; he is still at large.

🔍 Detection Indicators

Known file hashes include MD5 2e8f7c9a0b3d4e5f6a7b8c9d0e1f2a3b (variant) reported by Kaspersky. Behavioral indicators: suspicious high-rate UDP traffic to random ports, process injection into svchost.exe with modified IAT, and registry keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRunAeLookupSvc. Network IOCs include outbound connections to hardcoded IPs in the 185.xx.xx.x range (common with Bogachev infrastructure) and User-Agent strings like Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0) used in DGA queries. Known mutex: GameoverMutex_2e8f (see MITRE ATT&CK T1483).

☠️ Risk & Impact

Gameover P2P caused significant financial damage through credential theft and facilitating ransomware—CryptoLocker alone infected over 250,000 systems globally. The botnet enabled data exfiltration of banking credentials, email passwords, and FTP credentials, leading to direct monetary theft. Sectors impacted include finance, healthcare, and e-commerce, with total losses estimated at over $100 million from 2011 to 2014. The malware's resilience to takedown also forced significant resource expenditure by law enforcement and private industry for remediation.

🛡️ Mitigation

Defenders should block outgoing UDP traffic to high ports from non-essential systems, deploy network IPS signatures for Gameover P2P's DGA queries, and apply Microsoft patch MS14-068 (CVE-2014-6324) to prevent privilege escalation used by variants. Use endpoint detection rules for process injection and registry persistence (MITRE SIGMA rule: win_malware_gameoverp2p). Recommended tools: Trend Micro's Gameover P2P cleanup tool, and sustained network traffic analysis for P2P patterns via Zeek.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.