Today, federal officials announced new charges against the GameOver Zeus botnet, together with coordinated seizures that appear to have stopped the network cold. GameOver Zeus infected as many as a million Windows computers, harvesting user credentials and executing fradulent wire transfers.
Today's federal complaint named Russia's Evgeniy Mikhailovich Bogachev as mastermind of the network, tracked down with the help of law enforcement agencies across eleven countries.
The FBI's Robert Anderson Jr. said in a statement.
"Gameover Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt. The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement, and within the US government."
GameOverZeus would use sophisticated attacks to harvest confidential information once computers were infected. Where a banking site might normally ask for a username and password, the malware could add extra fields for social security number and credit card information, inserted seamlessly into the page's layout. Once the attackers had enough data, they would strike with an unauthorized wire transfer. The federal complaint names four such attacks, ranging from $190,000 stolen from an assisted living facility, all the way up to $7 million stolen from a regional bank in northern Florida. According to the Justice Department, the total damage inflicted by GameOver totals more than $100 million.
The botnet also raised money through Cryptolocker an attack that would encrypt a computer's hard drive, demanding a ransom to unlock the data. For those that didn't pay, data-recovery costs reached as high as $80,000. Researchers say the botnet has been operational since October of 2011, but used a complex P2P mechanism to cover its tracks, making it difficult to track down before now. Strong encryption also disguised the location of the master servers. US assistant attorney general Leslie Caldwell said in a statement to the press.
"These schemes were highly sophisticated and immensely lucrative. The cyber criminals did not make them easy to reach or disrupt."
COMMENTARY: GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects. It’s predominately spread through spam e-mail or phishing messages.
Unbeknownst to their rightful owners, the infected computers become part of a global network of compromised computers known as a botnet—a powerful online tool that cyber criminals can use for their own nefarious purposes. In the case of GameOver Zeus, its primary purpose is to capture banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. Losses attributable to GameOver Zeus are estimated to be more than $100 million.
Unlike earlier Zeus variants, GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin, which means that instructions to the infected computers can come from any of the infected computers, making a takedown of the botnet more difficult. But not impossible.
Officials announced that in addition to the criminal charges in the case, the U.S. obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to sever communications between the infected computers, re-directing these computers away from criminal servers to substitute servers under the government’s control.
The orders authorize the FBI to identity the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to Computer Emergency Readiness Teams (CERTs) around the world, as well as to Internet service providers and other private sector parties who are able to assist victims in removing GameOver Zeus from their computers.
Important note: No contents of victim communications are captured or accessible in the disruption process.
The GameOver Zeus investigation, according to U.S. Deputy Attorney General James Cole, combined “traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.”
In a related action announced today, U.S. and foreign law enforcement officials seized Cryptolockercommand and control servers. Cryptolocker is a type of ransomware that locks victims’ computer files and demands a fee in return for unlocking them. Computers infected with Cryptolocker are often also infected with GameOver Zeus.
Evgeniy Bogachev, added to the FBI’s Cyber’s Most Wanted list, was identified in court documents as the leader of a gang of cyber criminals based in Russia and the Ukraine responsible for the development and operation of both the GameOver Zeus and Cryptolocker schemes.
The actions to take down GameOver Zeus were truly collaborative. FBI Executive Assistant Director Robert Anderson said.
“GameOver Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt. The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement, and within the U.S. government.”
Courtesy of an article dated June 2, 2014 appearing in The Verge