Financial botnet has amassed some 680,000 bots

Dark Reading Staff, Dark Reading

August 1, 2012

3 Min Read

The Gameover Zeus botnet is now the biggest financial fraud botnet around, and it's run by a single cybercrime group out of Eastern Europe, according to new research.

Brett Stone-Gross, senior security researcher with Dell Secureworks, has been closely monitoring the botnet since late April, with his team "crawling" the peer-to-peer botnet to determine its size and scope, and counted some 678,205 infected bots. He published his overall findings on the inner workings of the botnet last week during Black Hat USA.

"There's one group behind it," Stone-Gross says. "And it's the largest financial botnet out there."

They key to its success, he says, is it has a "huge number" of servers that it has compromised, and it rents out the Cutwail spam botnet to deliver its initial payload via phishing emails impersonating legitimate companies, including cellular phone companies, retailers, social networking sites, and financial institutions. "They take a legitimate email and replace a link inside it" that sends the victim to one of their compromised websites, he says.

The victims who fall for the email ruses -- invoices, order confirmations, or warnings about unpaid bills -- become part of the peer-to-peer Zeus-based Gameover botnet. "If you click the link, you see the fake loading page, which loads JavaScript from three different compromised sites," Stone-Gross says.

Stone-Gross and his team found some 1.5 million unique IP addresses infected with Gameover, with the U.S. (150,204 bots), Germany (48.853 bots), and Italy (34,361 bots) suffering the most infections. Infections have hit not only the Fortune 500, but also universities, hospitals, financial institutions, defense contractors, government agencies, and law enforcement.

Recent data from LookingGlass Cyber Solutions said that 18 of the 24 largest banks around the world suffer from infamous malware, including Gameover Zeus, DNS Changer, BlackHole Exploit Kit, and fake antivirus.

Dell Secureworks' Stone-Gross says Gameover is all about stealing victims' online credentials and other personal information. Once they are infected and visit their online retailer, for example, it prompts them for information, such as Social Security number, mother's maiden name, credit-card number, and date of birth.

"They also track their success of infection, such as which exploits worked," Stone-Gross says.

Gameover also employs the DirtJumper tool to DDoS financial institutions while it steals their customers' funds. It uses a downloader called Pony Loader that downloads the peer-to-peer communication of Zeus, and steals HTTP, FTP, and email credentials.

"What's interesting about Gameover is that it's a P2P network, and the robustness of the network itself. Each malware sample includes a hard-coded peers list, and the bot tries to reach out to them and request information, configuration files, version information, and binary updates," Stone-Gross says. The architecture has its own failover mechanism, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

Black Hat News

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights