|Click here for more of Dark Reading's Black Hat articles.|
Brett Stone-Gross, senior security researcher with Dell Secureworks, has been closely monitoring the botnet since late April, with his team "crawling" the peer-to-peer botnet to determine its size and scope, and counted some 678,205 infected bots. He published his overall findings on the inner workings of the botnet last week during Black Hat USA.
"There's one group behind it," Stone-Gross says. "And it's the largest financial botnet out there."
They key to its success, he says, is it has a "huge number" of servers that it has compromised, and it rents out the Cutwail spam botnet to deliver its initial payload via phishing emails impersonating legitimate companies, including cellular phone companies, retailers, social networking sites, and financial institutions. "They take a legitimate email and replace a link inside it" that sends the victim to one of their compromised websites, he says.
Stone-Gross and his team found some 1.5 million unique IP addresses infected with Gameover, with the U.S. (150,204 bots), Germany (48.853 bots), and Italy (34,361 bots) suffering the most infections. Infections have hit not only the Fortune 500, but also universities, hospitals, financial institutions, defense contractors, government agencies, and law enforcement.
Recent data from LookingGlass Cyber Solutions said that 18 of the 24 largest banks around the world suffer from infamous malware, including Gameover Zeus, DNS Changer, BlackHole Exploit Kit, and fake antivirus.
Dell Secureworks' Stone-Gross says Gameover is all about stealing victims' online credentials and other personal information. Once they are infected and visit their online retailer, for example, it prompts them for information, such as Social Security number, mother's maiden name, credit-card number, and date of birth.
"They also track their success of infection, such as which exploits worked," Stone-Gross says.
Gameover also employs the DirtJumper tool to DDoS financial institutions while it steals their customers' funds. It uses a downloader called Pony Loader that downloads the peer-to-peer communication of Zeus, and steals HTTP, FTP, and email credentials.
"What's interesting about Gameover is that it's a P2P network, and the robustness of the network itself. Each malware sample includes a hard-coded peers list, and the bot tries to reach out to them and request information, configuration files, version information, and binary updates," Stone-Gross says. The architecture has its own failover mechanism, he says.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.