The US Department of Justice and the FBI have announced a multinational effort that includes Europol and the UK’s National Crime Agency, that has managed to disrupt the GameOver Zeus botnet, believed to be responsible for a raft of financial compromises in the US and around the world. Losses attributable to GameOver Zeus are estimated to be more than $100 million, the FBI said.
It’s the most concerted effort between law enforcement and security companies to target command-and-control operations for a cyber-threat since the Confiker worm in 2009. However, its effects are likely temporary.
GameOver Zeus is known for distributing a variety of malicious payloads, including the notorious CryptoLocker ransomware. So in a related action, US and foreign law enforcement officials also seized CryptoLocker command-and-control servers.
Meanwhile, the Feds filed criminal charges in Pittsburgh and Omaha against alleged botnet administrator Evgeniy Mikhailovich Bogachev of Anapa in the Russian Federation. A member of the FBI’s Cyber’s Most Wanted list, he was identified in court documents as the leader of a gang of cybercriminals based in Russia and Ukraine responsible for the development and operation of both the GameOver Zeus and CryptoLocker schemes. The 30-year-old remains at large.
“GameOver Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt,” said FBI Executive Assistant Director Robert Anderson in announcing the campaign. “The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement and within the US government.”
Rik Ferguson, global vice president of security research at Trend Micro, echoed the sentiment. “This synchronized unprecedented collaboration between law enforcement, ISPs and the security industry sets a new standard for that which is possible in the name of internet security,” he said, in an email to Infosecurity.
However, he noted that it will be an ongoing fight. “The ultimate goal of the activity is to prevent infected computers from communicating with one another, significantly weakening the criminal infrastructure,” he said. “While this blow is effective, it is not permanent and we expect the malicious networks to return to their former strength within a week, if not days.”
The NCA is a bit more bullish, telling the UK public that it now has a unique, two-week opportunity to rid and safeguard themselves from GameOver Zeus and CryptoLocker.
“Members of the public can protect themselves by making sure security software is installed and updated, by running scans and checking that computer operating systems and applications are up to date… action taken now to strengthen online safety can be particularly effective,” it said in an announcement. NCA estimates that more than 15,500 computers in the UK are currently infected, with many more potentially at risk.
The GameOver Zeus investigation, according to US Deputy Attorney General James Cole, combined “traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber-schemes targeting our citizens and businesses.”
For instance, in addition to the criminal charges in the case, the US has obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to sever communications between the infected computers, re-directing these computers away from criminal servers to substitute servers under the government’s control in a sinkhole effort.
The orders authorize the FBI to identity the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to CERTs around the world, as well as to ISPs and other private-sector parties who are able to assist victims in removing GameOver Zeus from their machines.
GameOver Zeus is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware, which was identified in September 2011. It’s often propagated through spam and phishing messages, and is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. The criminals then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the threat actors.
Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.
According to a new US-CERT warning, it uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control – and so will require a coordinated and wide-ranging effort in order to thwart its operations.
“Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands,” it explained. “Centralized C2 servers are routinely tracked and blocked by the security community. But because GameOver utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection, it doesn’t have a single point of failure…and makes takedown efforts more difficult.”
Ferguson echoed the NCA in noting that victims and potential victims should make use of this window of opportunity, where the criminals have been weakened, to bring their systems fully up-to-date with patches from operating system manufacturers.
“A truly global operation, this has seen coordinated activities aimed at taking over elements of the command & control infrastructure used to spread these pernicious malware families, but we cannot achieve this goal alone, every computer user has their own role to play,” he said.