Vulnerabilities / Threats //

Advanced Threats

04:15 PM
Connect Directly

Global Effort Disrupts GOZeuS Botnet, CryptoLocker; One Indicted

An international public-private collaboration involving security companies and law enforcement agencies in 11 countries aims to disrupt the underlying infrastructure of the cybercrime industry.

The US Department of Justice announced global collaborations today to disrupt the operations of the GameoverZeuS (a.k.a. GOZeuS, a.k.a. P2PZeuS) botnet -- responsible for hundreds of millions of dollars in bank theft and financial fraud -- and users of the CryptoLocker ransomware, which is often used in tandem with GOZeuS. It also announced a 14-charge indictment of a Russian man alleged to be an administrator of both GOZeuS and CryptoLocker.

The effort, dubbed Operation Tovar, is significant for two reasons: because it is an international public-private collaboration involving security companies and law enforcement agencies in 11 countries and because it aims to disrupt the underlying infrastructure of the cybercrime industry.

The goal of Operation Tovar is to disrupt the botnet's operations by:

  • Redirecting the traffic from the bots so they can't report back to C&C servers
  • Obtaining the IP addresses of the infected machines
  • Sharing those addresses to help national CERTs and private industry to assist victims in removing the GOZeuS malware from their computers

Authorities estimate they can disrupt the botnet for a week or two, giving users the chance to oust the malware. This is an exciting achievement, since GOZeuS has been a very dynamic botnet; if one C&C server went down, it simply used another to talk to its bots. Its use of peer-to-peer technology makes it more resilient than earlier versions of ZeuS.

"Gameover ZeuS is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt," FBI Executive Assistant Director Robert Anderson said during a press conference today.

GOZeuS has been one of the banes of the financial services industry's existence since about September 2011. It is responsible for many millions of dollars in bank heists and financial fraud, though the exact figure is up for debate. The FBI estimates that GOZeuS is responsible for more than $100 million in losses; the UK's National Crime Agency says GOZeuS is responsible for stealing "hundreds of millions of pounds" around the world.

As for CryptoLocker, the FBI estimates that $27 million in ransom payments were made in just the first two months since it emerged in September 2013. Like other ransomware, CryptoLocker encrypts victim's data and holds it hostage until the victim pays for its release, but it is extra special because it encrypts the data with two different kinds of encryption. Authorities say that many users of GOZeuS also deployed CryptoLocker as a backup measure -- a way to make a buck off their bot if, for some reason, the intended fraud didn't work.

"The beauty of the [GOZeuS] tool is you don't really know you're infected," says F-Secure senior researcher Timo Hirvonen. It uses a man-in-the-browser attack, so it has access to everything you do when you're banking online. If you're making an account transfer, for example, it can change how much money you transfer and where you send it, and it can hide the fact that it's done so.

Tom Kellerman, chief security officer of the cybsecurity company Trend Micro, says GOZeuS also gives the botmaster root access over the victims' machines. So simply changing passwords doesn't matter, because the malware simply exfiltrates the new passwords. That's why taking this C&C downtime to eject the software from endpoints altogether is so important.

"We have to be effective in the next eight days," says Kellerman. "The problem is that now the news has gone public, [and the attackers are] aware."

If victims do not purge their machines of the bot code now, then once the botherders recover and get up and running again, they could simply use their root access to install something new -- a GOZeuS replacement, if you will -- on the victim machines. In the meantime, Hirvonen says, the people running the botnet (if they haven't been arrested already) are probably trying to set up new servers and update the configuration to keep the botnet going, or they're laying low to avoid arrest.

The alleged botnet administrator charged today is Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation -- said to also operate under the names "Slavik," "Pollingsoon," and "Lucky12345." Bogachev was charged with conspiracy, computer hacking, wire fraud, bank fraud, and money laundering in connection with his alleged role as an administrator of the GameoverZeuS botnet. He was charged with other offenses related to his roles in CryptoLocker and earlier versions of ZeuS.

In comparison to the BlackShades sting two weeks ago, which netted more than 90 arrests, this one arrest seems rather small. Yet that's because, though BlackShades was a malware toolkit sold on the cheap to thousands of amateurs, GOZeuS and CryptoLocker are only for the big boys, who use the tools themselves, instead of making a buck from selling them.

However, stopping one man or even 90 is nothing compared to stopping the gears that power the entire cybercrime black market.

Operation Tovar is taking a whack at what Kellerman calls "the Sixth Estate" -- the shadow economy that feeds the cybercrime industry. He described it in a blog post Friday:

The virtual arms bazaar is singularly responsible for the proliferation of cyber attack capabilities and the corresponding money laundering and bulletproof hosting for the most nefarious cybercriminals. When combating the most significant cyber crews/arms merchants in cyberspace, we must accept the reality of their infrastructure... The hacker's virtual supply chain consists of three services: provision of hacker services/toolkits; the anonymous payment systems; and the bullet-proof hosts.

"We're putting pressure on their money," Kellerman tells us. "To take down the infrastructure would be essentially a tipping point in the game. It's a step towards taking back the streets."

He says that this operation is a step in the right direction, but there is still much more to do. The government has to go after the entire underground digital payment processing system with proactive legislation, including modernizing money laundering laws to cover cyber-related financial fraud, freeze cyber criminals' black market accounts, and forfeit their assets.

Nevertheless, Kellerman and Hirvonen both applaud today's announcements.

"This is a great signal of the public-private partnership of going after the untouchables of cybercrime," says Kellerman.

"I hope it also sends a strong message to the bad guys," says Hirvonen. "You can use your peer-to-peer networks, but it doesn't make you immune. We can still go after you."

Deputy Attorney General James M. Cole said at today's press conference:

This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data. We succeeded in disabling GameoverZeuS and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.

Victims of GOZeuS may visit US-CERT for assistance in removing the malware, here:

TrendMicro is also offering a free tool to scan your system for these threats and remove them. Those are available for download here (for 32-bit systems) and here (for 64-bit systems).

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/4/2014 | 12:58:50 PM
Great news, but what's next?
Great summary of events. It will be interesting to see if any lasting relief comes of this operation. I'd like to be optimistic, but I think it more likely the actors behind this will just push persistance one step farther. We break C&C, they add P2P C&C. We break P2P C&C, I'll bet we see redundant P2P C&C networks next. 

I wrote a different angle on this story at, giving tips on reducing the damage such malware can inflict. Prevention is ideal, but if prevention worked every time we wouldn't see stories such as this.
User Rank: Ninja
6/3/2014 | 5:36:38 PM
Re: Great job
I hope so. It is the unique way to combat cybercrime, Cyberspace has no boundaries, that's why it is essential a joint effort and a shared law framework.


Sara Peters
Sara Peters,
User Rank: Author
6/3/2014 | 5:14:37 PM
Re: Great job
@securityaffairs  I agree. It does seem that law enforcement agencies are doing more international collaboration, and it seems to be paying dividends. Do you think that everyone's buying into that idea, and it will become the norm going forward? Or not?
User Rank: Ninja
6/3/2014 | 3:31:25 PM
Great job
Cybercriminal organizations are becoming even more difficult to contrast, this operation must be a case study for further operation, a perfect example of international effort against illicit activities.

Great Job
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.