The US Department of Justice announced global collaborations today to disrupt the operations of the GameoverZeuS (a.k.a. GOZeuS, a.k.a. P2PZeuS) botnet -- responsible for hundreds of millions of dollars in bank theft and financial fraud -- and users of the CryptoLocker ransomware, which is often used in tandem with GOZeuS. It also announced a 14-charge indictment of a Russian man alleged to be an administrator of both GOZeuS and CryptoLocker.
The effort, dubbed Operation Tovar, is significant for two reasons: because it is an international public-private collaboration involving security companies and law enforcement agencies in 11 countries and because it aims to disrupt the underlying infrastructure of the cybercrime industry.
The goal of Operation Tovar is to disrupt the botnet's operations by:
- Redirecting the traffic from the bots so they can't report back to C&C servers
- Obtaining the IP addresses of the infected machines
- Sharing those addresses to help national CERTs and private industry to assist victims in removing the GOZeuS malware from their computers
Authorities estimate they can disrupt the botnet for a week or two, giving users the chance to oust the malware. This is an exciting achievement, since GOZeuS has been a very dynamic botnet; if one C&C server went down, it simply used another to talk to its bots. Its use of peer-to-peer technology makes it more resilient than earlier versions of ZeuS.
"Gameover ZeuS is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt," FBI Executive Assistant Director Robert Anderson said during a press conference today.
GOZeuS has been one of the banes of the financial services industry's existence since about September 2011. It is responsible for many millions of dollars in bank heists and financial fraud, though the exact figure is up for debate. The FBI estimates that GOZeuS is responsible for more than $100 million in losses; the UK's National Crime Agency says GOZeuS is responsible for stealing "hundreds of millions of pounds" around the world.
As for CryptoLocker, the FBI estimates that $27 million in ransom payments were made in just the first two months since it emerged in September 2013. Like other ransomware, CryptoLocker encrypts victim's data and holds it hostage until the victim pays for its release, but it is extra special because it encrypts the data with two different kinds of encryption. Authorities say that many users of GOZeuS also deployed CryptoLocker as a backup measure -- a way to make a buck off their bot if, for some reason, the intended fraud didn't work.
"The beauty of the [GOZeuS] tool is you don't really know you're infected," says F-Secure senior researcher Timo Hirvonen. It uses a man-in-the-browser attack, so it has access to everything you do when you're banking online. If you're making an account transfer, for example, it can change how much money you transfer and where you send it, and it can hide the fact that it's done so.
Tom Kellerman, chief security officer of the cybsecurity company Trend Micro, says GOZeuS also gives the botmaster root access over the victims' machines. So simply changing passwords doesn't matter, because the malware simply exfiltrates the new passwords. That's why taking this C&C downtime to eject the software from endpoints altogether is so important.
"We have to be effective in the next eight days," says Kellerman. "The problem is that now the news has gone public, [and the attackers are] aware."
If victims do not purge their machines of the bot code now, then once the botherders recover and get up and running again, they could simply use their root access to install something new -- a GOZeuS replacement, if you will -- on the victim machines. In the meantime, Hirvonen says, the people running the botnet (if they haven't been arrested already) are probably trying to set up new servers and update the configuration to keep the botnet going, or they're laying low to avoid arrest.
The alleged botnet administrator charged today is Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation -- said to also operate under the names "Slavik," "Pollingsoon," and "Lucky12345." Bogachev was charged with conspiracy, computer hacking, wire fraud, bank fraud, and money laundering in connection with his alleged role as an administrator of the GameoverZeuS botnet. He was charged with other offenses related to his roles in CryptoLocker and earlier versions of ZeuS.
In comparison to the BlackShades sting two weeks ago, which netted more than 90 arrests, this one arrest seems rather small. Yet that's because, though BlackShades was a malware toolkit sold on the cheap to thousands of amateurs, GOZeuS and CryptoLocker are only for the big boys, who use the tools themselves, instead of making a buck from selling them.
However, stopping one man or even 90 is nothing compared to stopping the gears that power the entire cybercrime black market.
Operation Tovar is taking a whack at what Kellerman calls "the Sixth Estate" -- the shadow economy that feeds the cybercrime industry. He described it in a blog post Friday:
The virtual arms bazaar is singularly responsible for the proliferation of cyber attack capabilities and the corresponding money laundering and bulletproof hosting for the most nefarious cybercriminals. When combating the most significant cyber crews/arms merchants in cyberspace, we must accept the reality of their infrastructure... The hacker's virtual supply chain consists of three services: provision of hacker services/toolkits; the anonymous payment systems; and the bullet-proof hosts.
"We're putting pressure on their money," Kellerman tells us. "To take down the infrastructure would be essentially a tipping point in the game. It's a step towards taking back the streets."
He says that this operation is a step in the right direction, but there is still much more to do. The government has to go after the entire underground digital payment processing system with proactive legislation, including modernizing money laundering laws to cover cyber-related financial fraud, freeze cyber criminals' black market accounts, and forfeit their assets.
Nevertheless, Kellerman and Hirvonen both applaud today's announcements.
"This is a great signal of the public-private partnership of going after the untouchables of cybercrime," says Kellerman.
"I hope it also sends a strong message to the bad guys," says Hirvonen. "You can use your peer-to-peer networks, but it doesn't make you immune. We can still go after you."
Deputy Attorney General James M. Cole said at today's press conference:
This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data. We succeeded in disabling GameoverZeuS and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.
Victims of GOZeuS may visit US-CERT for assistance in removing the malware, here: https://www.us-cert.gov/gameoverzeus.