The effect of the takedown of the GameOver Zeus botnet this week has been immediate and significant. Researchers who track the activity of the peer-to-peer botnet’s activity say that the volume of packets being sent out by infected machines has dropped to almost zero.
On Friday, the FBI and Europol, along with researchers from several security companies, executed a takedown of the GOZ botnet that involved seizing servers involved in the botnet’s operation and sinkholing some of the domains the attackers use for communications. GOZ is a P2P offshoot of the main Zeus malware family that is specifically designed to steal victims’ financial credentials and then use them for fraudulent wire transfers. It’s been a major problem for financial institutions for a couple of years now, and authorities in the U.S. and Europe pooled their resources to drop the hammer on the operators of the botnet.
The FBI has charged Evgeniy Mikhailovich Bogachev, a Russian national, with several felonies in connection with his alleged involvement in the GOZ botnet. With all botnet takedowns, there are a number of different goals. Researchers and affected companies and victims want the malware killed and the traffic choked off. And authorities want the people involved in the operation arrested and prosecuted. In the case of GOZ, one of those goals already has been accomplished.
Researchers at CERT Polska, the Polish computer emergency response team, have been tracking the traffic emanating from infected GOZ machines and their statistics show that traffic completely dropped off the table late in the day on May 30, around the time that the takedown occurred. Traffic spiked again the following day, but has fallen to close to zero again since then.
In previous botnet takedowns, the networks sometimes have come back to life in other forms or using different infrastructure. P2P botnets can be especially difficult to completely eliminate because of their distributed C2 infrastructure, which allows operators to push commands to infected machines and then they can share them with each other. Traditional top-down botnet architectures require each bot to check in with the C2 server to receive commands.
Researchers involved in the GOZ takedown said that the operation was made even more difficult because the botnet operators had taken defensive measures to protect it over the years.
“In the early days, GameOver ZeuS was mainly targeting financial institutions in the US. During their years of operating the botnet they soon enlarged their target list to include financial institutions in the Europe and Asia as well. For example, in 2013 Swiss Internet users were hit by a spam run that was distributing GameOver ZeuS in Switzerland,” said the researcher who runs Abuse.ch in Switzerland.
“The GameoOver ZeuS botnet was developed further several times, mainly aimed to harden the P2P component of GameOver ZeuS. The main reason for this were several takedown attempts carried out by security researchers in the past years.”