Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

04:15 PM
Connect Directly

Global Effort Disrupts GOZeuS Botnet, CryptoLocker; One Indicted

An international public-private collaboration involving security companies and law enforcement agencies in 11 countries aims to disrupt the underlying infrastructure of the cybercrime industry.

The US Department of Justice announced global collaborations today to disrupt the operations of the GameoverZeuS (a.k.a. GOZeuS, a.k.a. P2PZeuS) botnet -- responsible for hundreds of millions of dollars in bank theft and financial fraud -- and users of the CryptoLocker ransomware, which is often used in tandem with GOZeuS. It also announced a 14-charge indictment of a Russian man alleged to be an administrator of both GOZeuS and CryptoLocker.

The effort, dubbed Operation Tovar, is significant for two reasons: because it is an international public-private collaboration involving security companies and law enforcement agencies in 11 countries and because it aims to disrupt the underlying infrastructure of the cybercrime industry.

The goal of Operation Tovar is to disrupt the botnet's operations by:

  • Redirecting the traffic from the bots so they can't report back to C&C servers
  • Obtaining the IP addresses of the infected machines
  • Sharing those addresses to help national CERTs and private industry to assist victims in removing the GOZeuS malware from their computers

Authorities estimate they can disrupt the botnet for a week or two, giving users the chance to oust the malware. This is an exciting achievement, since GOZeuS has been a very dynamic botnet; if one C&C server went down, it simply used another to talk to its bots. Its use of peer-to-peer technology makes it more resilient than earlier versions of ZeuS.

"Gameover ZeuS is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt," FBI Executive Assistant Director Robert Anderson said during a press conference today.

GOZeuS has been one of the banes of the financial services industry's existence since about September 2011. It is responsible for many millions of dollars in bank heists and financial fraud, though the exact figure is up for debate. The FBI estimates that GOZeuS is responsible for more than $100 million in losses; the UK's National Crime Agency says GOZeuS is responsible for stealing "hundreds of millions of pounds" around the world.

As for CryptoLocker, the FBI estimates that $27 million in ransom payments were made in just the first two months since it emerged in September 2013. Like other ransomware, CryptoLocker encrypts victim's data and holds it hostage until the victim pays for its release, but it is extra special because it encrypts the data with two different kinds of encryption. Authorities say that many users of GOZeuS also deployed CryptoLocker as a backup measure -- a way to make a buck off their bot if, for some reason, the intended fraud didn't work.

"The beauty of the [GOZeuS] tool is you don't really know you're infected," says F-Secure senior researcher Timo Hirvonen. It uses a man-in-the-browser attack, so it has access to everything you do when you're banking online. If you're making an account transfer, for example, it can change how much money you transfer and where you send it, and it can hide the fact that it's done so.

Tom Kellerman, chief security officer of the cybsecurity company Trend Micro, says GOZeuS also gives the botmaster root access over the victims' machines. So simply changing passwords doesn't matter, because the malware simply exfiltrates the new passwords. That's why taking this C&C downtime to eject the software from endpoints altogether is so important.

"We have to be effective in the next eight days," says Kellerman. "The problem is that now the news has gone public, [and the attackers are] aware."

If victims do not purge their machines of the bot code now, then once the botherders recover and get up and running again, they could simply use their root access to install something new -- a GOZeuS replacement, if you will -- on the victim machines. In the meantime, Hirvonen says, the people running the botnet (if they haven't been arrested already) are probably trying to set up new servers and update the configuration to keep the botnet going, or they're laying low to avoid arrest.

The alleged botnet administrator charged today is Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation -- said to also operate under the names "Slavik," "Pollingsoon," and "Lucky12345." Bogachev was charged with conspiracy, computer hacking, wire fraud, bank fraud, and money laundering in connection with his alleged role as an administrator of the GameoverZeuS botnet. He was charged with other offenses related to his roles in CryptoLocker and earlier versions of ZeuS.

In comparison to the BlackShades sting two weeks ago, which netted more than 90 arrests, this one arrest seems rather small. Yet that's because, though BlackShades was a malware toolkit sold on the cheap to thousands of amateurs, GOZeuS and CryptoLocker are only for the big boys, who use the tools themselves, instead of making a buck from selling them.

However, stopping one man or even 90 is nothing compared to stopping the gears that power the entire cybercrime black market.

Operation Tovar is taking a whack at what Kellerman calls "the Sixth Estate" -- the shadow economy that feeds the cybercrime industry. He described it in a blog post Friday:

The virtual arms bazaar is singularly responsible for the proliferation of cyber attack capabilities and the corresponding money laundering and bulletproof hosting for the most nefarious cybercriminals. When combating the most significant cyber crews/arms merchants in cyberspace, we must accept the reality of their infrastructure... The hacker's virtual supply chain consists of three services: provision of hacker services/toolkits; the anonymous payment systems; and the bullet-proof hosts.

"We're putting pressure on their money," Kellerman tells us. "To take down the infrastructure would be essentially a tipping point in the game. It's a step towards taking back the streets."

He says that this operation is a step in the right direction, but there is still much more to do. The government has to go after the entire underground digital payment processing system with proactive legislation, including modernizing money laundering laws to cover cyber-related financial fraud, freeze cyber criminals' black market accounts, and forfeit their assets.

Nevertheless, Kellerman and Hirvonen both applaud today's announcements.

"This is a great signal of the public-private partnership of going after the untouchables of cybercrime," says Kellerman.

"I hope it also sends a strong message to the bad guys," says Hirvonen. "You can use your peer-to-peer networks, but it doesn't make you immune. We can still go after you."

Deputy Attorney General James M. Cole said at today's press conference:

This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data. We succeeded in disabling GameoverZeuS and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.

Victims of GOZeuS may visit US-CERT for assistance in removing the malware, here: https://www.us-cert.gov/gameoverzeus.

TrendMicro is also offering a free tool to scan your system for these threats and remove them. Those are available for download here (for 32-bit systems) and here (for 64-bit systems).

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/4/2014 | 12:58:50 PM
Great news, but what's next?
Great summary of events. It will be interesting to see if any lasting relief comes of this operation. I'd like to be optimistic, but I think it more likely the actors behind this will just push persistance one step farther. We break C&C, they add P2P C&C. We break P2P C&C, I'll bet we see redundant P2P C&C networks next. 

I wrote a different angle on this story at http://dnlongen.blogspot.com/2014/06/GameoverZeuS.html, giving tips on reducing the damage such malware can inflict. Prevention is ideal, but if prevention worked every time we wouldn't see stories such as this.
User Rank: Ninja
6/3/2014 | 5:36:38 PM
Re: Great job
I hope so. It is the unique way to combat cybercrime, Cyberspace has no boundaries, that's why it is essential a joint effort and a shared law framework.


Sara Peters
Sara Peters,
User Rank: Author
6/3/2014 | 5:14:37 PM
Re: Great job
@securityaffairs  I agree. It does seem that law enforcement agencies are doing more international collaboration, and it seems to be paying dividends. Do you think that everyone's buying into that idea, and it will become the norm going forward? Or not?
User Rank: Ninja
6/3/2014 | 3:31:25 PM
Great job
Cybercriminal organizations are becoming even more difficult to contrast, this operation must be a case study for further operation, a perfect example of international effort against illicit activities.

Great Job
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is Reflected XSS in Webmail (aka WorldClient). It can be exploited via a GET request. It allows performing any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Remote Administration allows an attacker to perform a fixation of the anti-CSRF token. In order to exploit this issue, the user has to click on a malicious URL provided by the attacker and successfully authenticate into the application. Having the va...
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. There is an IFRAME injection vulnerability in Webmail (aka WorldClient). It can be exploited via an email message. It allows an attacker to perform any action with the privileges of the attacked user.
PUBLISHED: 2021-04-14
An issue was discovered in MDaemon before 20.0.4. Administrators can use Remote Administration to exploit an Arbitrary File Write vulnerability. An attacker is able to create new files in any location of the filesystem, or he may be able to modify existing files. This vulnerability may directly lead...
PUBLISHED: 2021-04-14
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Multiple privilege escalation vulnerabilities were discovered in version 5.2.4 of Pi-hole core. See the referenced GitHub security advisory for details.