Vulnerabilities / Threats // Advanced Threats
6/2/2014
04:15 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Global Effort Disrupts GOZeuS Botnet, CryptoLocker; One Indicted

An international public-private collaboration involving security companies and law enforcement agencies in 11 countries aims to disrupt the underlying infrastructure of the cybercrime industry.

The US Department of Justice announced global collaborations today to disrupt the operations of the GameoverZeuS (a.k.a. GOZeuS, a.k.a. P2PZeuS) botnet -- responsible for hundreds of millions of dollars in bank theft and financial fraud -- and users of the CryptoLocker ransomware, which is often used in tandem with GOZeuS. It also announced a 14-charge indictment of a Russian man alleged to be an administrator of both GOZeuS and CryptoLocker.

The effort, dubbed Operation Tovar, is significant for two reasons: because it is an international public-private collaboration involving security companies and law enforcement agencies in 11 countries and because it aims to disrupt the underlying infrastructure of the cybercrime industry.

The goal of Operation Tovar is to disrupt the botnet's operations by:

  • Redirecting the traffic from the bots so they can't report back to C&C servers
  • Obtaining the IP addresses of the infected machines
  • Sharing those addresses to help national CERTs and private industry to assist victims in removing the GOZeuS malware from their computers

Authorities estimate they can disrupt the botnet for a week or two, giving users the chance to oust the malware. This is an exciting achievement, since GOZeuS has been a very dynamic botnet; if one C&C server went down, it simply used another to talk to its bots. Its use of peer-to-peer technology makes it more resilient than earlier versions of ZeuS.

"Gameover ZeuS is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt," FBI Executive Assistant Director Robert Anderson said during a press conference today.

GOZeuS has been one of the banes of the financial services industry's existence since about September 2011. It is responsible for many millions of dollars in bank heists and financial fraud, though the exact figure is up for debate. The FBI estimates that GOZeuS is responsible for more than $100 million in losses; the UK's National Crime Agency says GOZeuS is responsible for stealing "hundreds of millions of pounds" around the world.

As for CryptoLocker, the FBI estimates that $27 million in ransom payments were made in just the first two months since it emerged in September 2013. Like other ransomware, CryptoLocker encrypts victim's data and holds it hostage until the victim pays for its release, but it is extra special because it encrypts the data with two different kinds of encryption. Authorities say that many users of GOZeuS also deployed CryptoLocker as a backup measure -- a way to make a buck off their bot if, for some reason, the intended fraud didn't work.

"The beauty of the [GOZeuS] tool is you don't really know you're infected," says F-Secure senior researcher Timo Hirvonen. It uses a man-in-the-browser attack, so it has access to everything you do when you're banking online. If you're making an account transfer, for example, it can change how much money you transfer and where you send it, and it can hide the fact that it's done so.

Tom Kellerman, chief security officer of the cybsecurity company Trend Micro, says GOZeuS also gives the botmaster root access over the victims' machines. So simply changing passwords doesn't matter, because the malware simply exfiltrates the new passwords. That's why taking this C&C downtime to eject the software from endpoints altogether is so important.

"We have to be effective in the next eight days," says Kellerman. "The problem is that now the news has gone public, [and the attackers are] aware."

If victims do not purge their machines of the bot code now, then once the botherders recover and get up and running again, they could simply use their root access to install something new -- a GOZeuS replacement, if you will -- on the victim machines. In the meantime, Hirvonen says, the people running the botnet (if they haven't been arrested already) are probably trying to set up new servers and update the configuration to keep the botnet going, or they're laying low to avoid arrest.

The alleged botnet administrator charged today is Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation -- said to also operate under the names "Slavik," "Pollingsoon," and "Lucky12345." Bogachev was charged with conspiracy, computer hacking, wire fraud, bank fraud, and money laundering in connection with his alleged role as an administrator of the GameoverZeuS botnet. He was charged with other offenses related to his roles in CryptoLocker and earlier versions of ZeuS.

In comparison to the BlackShades sting two weeks ago, which netted more than 90 arrests, this one arrest seems rather small. Yet that's because, though BlackShades was a malware toolkit sold on the cheap to thousands of amateurs, GOZeuS and CryptoLocker are only for the big boys, who use the tools themselves, instead of making a buck from selling them.

However, stopping one man or even 90 is nothing compared to stopping the gears that power the entire cybercrime black market.

Operation Tovar is taking a whack at what Kellerman calls "the Sixth Estate" -- the shadow economy that feeds the cybercrime industry. He described it in a blog post Friday:

The virtual arms bazaar is singularly responsible for the proliferation of cyber attack capabilities and the corresponding money laundering and bulletproof hosting for the most nefarious cybercriminals. When combating the most significant cyber crews/arms merchants in cyberspace, we must accept the reality of their infrastructure... The hacker's virtual supply chain consists of three services: provision of hacker services/toolkits; the anonymous payment systems; and the bullet-proof hosts.

"We're putting pressure on their money," Kellerman tells us. "To take down the infrastructure would be essentially a tipping point in the game. It's a step towards taking back the streets."

He says that this operation is a step in the right direction, but there is still much more to do. The government has to go after the entire underground digital payment processing system with proactive legislation, including modernizing money laundering laws to cover cyber-related financial fraud, freeze cyber criminals' black market accounts, and forfeit their assets.

Nevertheless, Kellerman and Hirvonen both applaud today's announcements.

"This is a great signal of the public-private partnership of going after the untouchables of cybercrime," says Kellerman.

"I hope it also sends a strong message to the bad guys," says Hirvonen. "You can use your peer-to-peer networks, but it doesn't make you immune. We can still go after you."

Deputy Attorney General James M. Cole said at today's press conference:

This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data. We succeeded in disabling GameoverZeuS and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.

Victims of GOZeuS may visit US-CERT for assistance in removing the malware, here: https://www.us-cert.gov/gameoverzeus.

TrendMicro is also offering a free tool to scan your system for these threats and remove them. Those are available for download here (for 32-bit systems) and here (for 64-bit systems).

Sara Peters is contributing editor to Dark Reading and editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dnlongen
50%
50%
dnlongen,
User Rank: Apprentice
6/4/2014 | 12:58:50 PM
Great news, but what's next?
Great summary of events. It will be interesting to see if any lasting relief comes of this operation. I'd like to be optimistic, but I think it more likely the actors behind this will just push persistance one step farther. We break C&C, they add P2P C&C. We break P2P C&C, I'll bet we see redundant P2P C&C networks next. 

I wrote a different angle on this story at http://dnlongen.blogspot.com/2014/06/GameoverZeuS.html, giving tips on reducing the damage such malware can inflict. Prevention is ideal, but if prevention worked every time we wouldn't see stories such as this.
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/3/2014 | 5:36:38 PM
Re: Great job
I hope so. It is the unique way to combat cybercrime, Cyberspace has no boundaries, that's why it is essential a joint effort and a shared law framework.

Regards

PL
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/3/2014 | 5:14:37 PM
Re: Great job
@securityaffairs  I agree. It does seem that law enforcement agencies are doing more international collaboration, and it seems to be paying dividends. Do you think that everyone's buying into that idea, and it will become the norm going forward? Or not?
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
6/3/2014 | 3:31:25 PM
Great job
Cybercriminal organizations are becoming even more difficult to contrast, this operation must be a case study for further operation, a perfect example of international effort against illicit activities.

Great Job
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.