Summer Break arrives early for Malware & Botnet Gang

After over 3-years of non-stop work stealing millions from people and companies on the internet, the cybercriminals behind the thefts will have some free time on their hands.

Last week a group of Internet security organizations including the Spamhaus Project, several IT security companies, and the cybercrime departments of ten national law enforcement agencies crippled the infamous GameOver Zeus (GOZ) malware/botnet. The group also dismantled the infrastructure of the related CryptoLocker malware/ransomware. This coordinated effort was planned for some time before public action took place.

Working behind the scenes, Spamhaus assisted in blocking and shutting-down several of the "backend" servers used to run GOZ and CryptoLocker.

Law Enforcement Action

The US FBI-led legal action, codenamed GameOver (Tovar in the UK), and simultaneous technical efforts of private sector companies and organizations, against GOZ has taken down much of its command-and-control (C&C) infrastructure. Specifically, GOZ no longer has control of the malware-generated domains that infected computers use to communicate with the GOZ C&Cs. The FBI seized these domains and, with other law enforcement agencies in other nations and private-sector partners such as Spamhaus, shut down the C&C servers.

A U.S. federal grand jury has indicted 30-year-old Russian national Evgeniy Mikhailovich Bogachev with 14 counts of money laundering, bank fraud, wire fraud, conspiracy, and computer hacking. The indictment named Bogachev as the GOZ botnet's administrator, and as the owner of CryptoLocker. The FBI claims that GOZ and CryptoLocker have been used to steal over US $100 million from internet users.

The Battle Continues

Spamhaus uses its own data and feeds from fellow security community organizations, such as the Shadowserver Foundation, to list the IP addresses of GOZ and CryptoLocker infected computers. These IP addresses are published in the Spamhaus CBL/XBL. We also use this data to work directly with Internet Service Providers (ISPs) and many Community Emergency Response Teams (CERTs) (and invite more to work with us) to help the owners of infected (compromised) computers regain control of them. We expect that the GOZ cybercriminals’ business will be disrupted because of this effort, forcing them to rebuild their botnet before they can resume stealing from people and companies. In the meantime, many GOZ victims will be notified and helped to clean their computers of the GOZ malware.

GOZ malware victims need to take advantage of this opportunity now, as the criminals will re-establish their botnet and communications with infected computers as quickly as they can.

Spamhaus will monitor as the cybercriminals re-build and re-establish their communications infrastructure. As quickly as we locate new GOZ-infected computers spewing malware-laden spam, we will list the IPs in the Spamhaus XBL to protect our users. As soon as we locate new GOZ C&C servers, we will list them in our Botnet Controller List (BCL) and DNS firewall Response Policy Zone (RPZ) so that ISPs and web hosting companies can block access from their servers. Blocking access to GOZ compromised computers and C&C servers helps protect users from becoming victims even if their computers become infected with the GOZ malware.

About GameOver Zeus (GOZ)

GOZ is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware. It uses a decentralized network infrastructure of compromised personal computers and web servers to obtain banking credentials (mostly logins and passwords) from users and route that information to the cybercriminals, who use it to empty the users' bank accounts. The GOZ malware is distributed through spammed phishing emails. GOZ-infected computers can also be used to send spam or participate in distributed denial-of-service (DDoS) attacks.

Prior variants of the Zeus malware used a centralized C&C infrastructure to execute commands. This led the security community to track and shut down C&C servers. GOZ, however, uses a P2P network of infected computers to communicate and distribute data, and also encrypts its communications to evade detection. These infected computers act as a massive proxy network that is used to update the GOZ malware, distribute configuration files, and transmit stolen data back to the criminals. The GOZ malware network does not have a single point of failure, making takedown efforts more difficult.

About CryptoLocker

When activated, CryptoLocker encrypts certain types of data files stored on local and mounted network drives using RSA public-key cryptography. The private key is stored on the CryptoLocker control servers. CryptoLocker then displays a message to the victim, offering to decrypt the data after the victim sends payment, usually via either Bitcoin or a pre-paid voucher. If the victim does not pay by the specified deadline (typically 72 hours), CryptoLocker threatens to destroy the private key, making the encrypted files unrecoverable.

Related Links

• Department of Justice: Press Release Story- CERT Polska: Operation #Tovar is clearly visible on our Zeus P2P monitoring- FBI: Gameover Zeus Botnet Disrupted- FBI: Wanted: Evgeniy Mikhailovich Bogachev- FBI: Declaration of Special Agent (pdf)- US CERT: Information on Gameover Zeus- NCA UK: Two-week opportunity for UK to reduce threat from powerful computer attack

• Symantec: International takedown wounds gameover zeus cybercrime network- Microsoft: Virus and Security Solution Center

• Krebs on Security: ‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge- Slate: To Catch a Cyberthief. How the FBI foiled the dangerous malwares GameOver Zeus and Cryptolocker.- The Register: Feds hunt 30-year-old alleged to be lord of Gameover botnet

• Pittsburgh cybersquad leads way in fighting cybercrime

• CERT Polska: A technical analysis of GOZ (pdf)- FBI: Gameover Zeus and Cryptolocker Poster (pdf)

• Spamhaus news 2005: We warned you