UPDATE–Law enforcement agencies in Europe and the United States, including Europol and the FBI, ran a coordinated takedown of the GameOver Zeus botnet on Friday, seizing servers and disrupting the botnet’s operation. Authorities say that the same botnet has been used to distribute the CryptoLocker ransomware and they’re now looking for a 30-year-old Russian whom they say is connected to the operation of the botnet.
GameOver is a separate strain of malware from the more well-known Zeus Trojan and the botnet built using GameOver has proven to be a hard target for researchers and law enforcement. The GameOver Zeus botnet uses a P2P architecture, which makes it difficult to disrupt because of the decentralized command-and-control infrastructure. Many malware authors and botnet operators have shifted to this architecture in the last few years because of the advantages it offers in resisting takedowns and removal attempts.
GameOver Zeus is used as part of a wire fraud scheme that involves stealing financial credentials from infected users’ computers and then sending money from the victims’ accounts to those controlled by the attackers. GameOver often is distributed to victims through other botnets, specifically the Cutwail botnet.
On May 30, authorities working out of the European Cybercrime Center (EC3) worked with a number of security companies and researchers to takedown the botnet and seize the servers that were part of the botnet. The Shadowserver Foundation, Abuse.ch, CrowdStrike, Microsoft and several other companies were part of the takedown. The FBI has identified Evgeniy Mikhailovich Bogachev as the alleged controller of the GameOver Zeus operation.
“This big, and very successful, operation has been an important test of the EU Member States’ ability to act fast, decisively and coordinated against a dangerous criminal network that has been stealing money and information from victims in the EU and all over the globe. Over many days and nights cyber police from several EU countries in EC3 operation rooms maximized the impact of this joint investigation. We get better and better after each such operation, and many more will undoubtedly follow,” said Troels Oerting, head of the EC3.
The U.S. government sinkholed some of the servers involved in the GameOver Zeus botnet, redirecting traffic from infected machines to servers they control. This is a common tactic used as part of botnet takedowns, but is not always completely effective, especially against P2P botnets that don’t rely on one or handful of key C&C servers.
On Monday, the US-CERT issued a technical warning about Zeus GameOver, telling users to be wary of the malware.
“GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks,” the warning says.
Kaspersky Lab has released a removal tool for GameoverZeus that can disinfect compromised systems. David Emm, senior expert with Kaspersky’s Global Research and Analysis Team, said the many variants of Zeus make it a difficult threat to eradicate.
“These types of threats are not uncommon – in our virus lab we see about 315,000 unique samples every day, including banking Trojans, ransomware and many other types of malware. Looking at Zeus, whose original code has been available on the Internet for years, it can be seen that there are literally hundreds of thousands of variants of it, and one of the reasons for this is that when attackers take control of a user’s computer they tend to want to keep control of it for as long as possible,” he said.
This is not the first time that researchers and authorities have gone after a Zeus botnet. In 2012, Microsoft took down some servers used as C&C points for Zeus, but because GameOver Zeus uses a P2P architecture, the operation didn’t put a dent in that malware operation.
“This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” said Deputy Attorney General Cole. “We succeeded in disabling GameOver Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world.”
The Department of Justice charged Bogachev with conspiracy, wire fraud, computer hacking, bank fraud and money laundering in connection with the operation of GameOver Zeus. Authorities also say he was responsible for running the CryptoLocker infrastructure, a highly profitable ransomware operation.
This article was edited on June 2 to add the FBI’s comments.