Thread: Federal Agents Just Brought Down the World’s Worst Botnet

Federal Agents Just Brought Down the World’s Worst Botnet

By Dune Lawrence June 02, 2014

---

An international operation led by the Department of Justice has disabled a hacking network that generated losses of more than $100 million in the U.S. since 2011. In an announcement on Monday, the department also disclosed charges against a 30-year-old Russian allegedly behind the Gameover Zeus botnet, a web of hundreds of thousands of infected computers used to steal money from bank accounts.

Gameover Zeus, which first emerged in September 2011, infected somewhere between 500,000 and 1 million computers, putting them in the control of hackers in Russia and Ukraine, according to legal documents (PDF) unsealed today. The main purpose of creating such a network, federal officials said, is to steal banking credentials and then use them to make wire transfers overseas.

The botnet’s capabilities sound plenty scary. Let’s say the hackers got a log-in and password for an account at Bank X and arranged for a fraudulent wire transfer. The bots could be used to attack the bank’s network to distract from examination of the transfer, says Brett Stone-Gross, a researcher for Dell SecureWorks who helped with the technical aspects of the takedown. It would even become harder for the account holder to alert the bank of fraudulent activity.

STORY: U.S. Charges Five Chinese Military Hackers With Online Spying

“This botnet caused a tremendous amount of damage,” Stone-Gross says. “It probably caused more damage than any other botnet previously, based on the amount of financial fraud.”

The hackers used the same network to spread a malicious program called Cryptolocker, which takes control of a computer, encrypts its contents, and demands ransom from the user to regain access to his files. The program is likely the work of the same group of hackers, says Stone-Gross.

The federal indictment unsealed at a court in Pittsburgh on Monday names Evgeniy Mikhailovich Bogachev, a Russian citizen and resident of the Black Sea city of Anapa, as the head of the group controlling the botnet. He might also be the author of the original Zeus malware, which emerged in 2007. U.S. authorities tracked his online activities by monitoring a computer server in the U.K. used to administer the botnet.

STORY: Iranian Hackers, Getting More Sophisticated, Target U.S. Defense Companies

The international cooperation behind the takedown is impressive.

The Justice Department press release mentions law enforcement units from Australia, the Netherlands, Germany, France, Italy, Japan, Luxembourg, New Zealand, Canada, Ukraine, and the U.K.

The real question now is how long it takes the criminals to construct a new network, and whether the U.S. indictment limits Bogachev and his allies—that is, if he is the mastermind depicted in the indictment.

STORY: Hackers Devise Wireless Methods for Stealing ATM Users' PINs

http://www.businessweek.com/articles...s-worst-botnet

​More than a million computers are infected globally, with roughly 25 percent in the U.S.
View Full Graphic (PDF)

GameOver Zeus Botnet Disrupted


Collaborative Effort Among International Partners

06/02/14
On June 2, 2014, the Department of Justice and the FBI announced a multinational effort to disrupt the GameOver Zeus botnet, believed to be responsible for the theft of millions of dollars from businesses and consumers in the U.S. and around the world.
Also announced was the unsealing of criminal charges in Pittsburgh and Omaha against alleged botnet administrator Evgeniy Mikhailovich Bogachev of Anapa, Russian Federation.


GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects. It’s predominately spread through spam e-mail or phishing messages.


Unbeknownst to their rightful owners, the infected computers become part of a global network of compromised computers known as a botnet—a powerful online tool that cyber criminals can use for their own nefarious purposes. In the case of GameOver Zeus, its primary purpose is to capture banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals.


Losses attributable to GameOver Zeus are estimated to be more than $100 million.


Unlike earlier Zeus variants, GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin, which means that instructions to the infected computers can come from any of the infected computers, making a takedown of the botnet more difficult. But not impossible.


Officials announced that in addition to the criminal charges in the case, the U.S. obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to sever communications between the infected computers, re-directing these computers away from criminal servers to substitute servers under the government’s control.


The orders authorize the FBI to identity the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to Computer Emergency Readiness Teams (CERTs) around the world, as well as to Internet service providers and other private sector parties who are able to assist victims in removing GameOver Zeus from their computers.


Important note: No contents of victim communications are captured or accessible in the disruption process.


The GameOver Zeus investigation, according to U.S. Deputy Attorney General James Cole, combined “traditional law enforcement techniques and cutting edge technical measures necessary to combat highly sophisticated cyber schemes targeting our citizens and businesses.”


In a related action announced today, U.S. and foreign law enforcement officials seized Cryptolocker command and control servers. Cryptolocker is a type of ransomware that locks victims’ computer files and demands a fee in return for unlocking them. Computers infected with Cryptolocker are often also infected with GameOver Zeus.


Evgeniy Bogachev, added to the FBI’s Cyber’s Most Wanted list, was identified in court documents as the leader of a gang of cyber criminals based in Russia and the Ukraine responsible for the development and operation of both the GameOver Zeus and Cryptolocker schemes.


The actions to take down GameOver Zeus were truly collaborative.


“GameOver Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt,” said FBI Executive Assistant Director Robert Anderson. “The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement, and within the U.S. government.”


http://www.fbi.gov/news/stories/2014...tnet-disrupted

FBI.gov is an official site of the U.S. government, U.S. Department of Justice

GameOver Zeus Botnet

---

Evgeniy Bogachev, who has been added to the FBI’s Cyber’s Most Wanted list, was identified in court documents as the leader of a gang of cyber criminals responsible for the development and operation of both the GameOver Zeus and CryptoLocker schemes.

Evgeniy Bogachev and three JabberZeus subjects are wanted for their alleged involvement in wide-ranging racketeering activities.
Posters: Bogachev | JabberZeus Subjects

View Large Graphic

Protect Your Computer From Malware

- Make sure you have updated antivirus software on your computer.
- Enable automated patches for your operating system and web browser.
- Have strong passwords, and don’t use the same passwords for everything.
- Use a pop-up blocker.
- Only download software—especially free software—from sites you know and trust (malware can also come in downloadable games, file-sharing programs, and customized toolbars).
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an e-mail, even if you think it looks safe. Instead, close out the e-mail and go to the organization’s website directly.

Realtime Coverage

Game Over for 'Gameover' Malware Tom's Guide - ‎2 minutes ago‎ Two of the most insidious and widespread types of malware have been "disrupted," and at least one man allegedly behind them has been indicted, according to an announcement today (June 2) by the United States Department of Justice. In a partnership with ... The Guardian MarketWatch www.worldbulletin.net Public warned of cyber attacks Belfast Telegraph - ‎8 minutes ago‎ US disrupts major hacking, extortion ring; Russian charged Reuters - ‎10 minutes ago‎ Game Over For Zeus Botnet HSToday - ‎13 minutes ago‎ Security: It's a Team Game Techzone360 - ‎21 minutes ago‎ Fed Cyber Sleuths Stop 'Gameover Zeus' and 'Cryptolocker' Crime Sprees ABC News - ‎1 hour ago‎ Show recently hidden article In Depth US disrupts major hacking, extortion ring; Russian charged Reuters - ‎10 minutes ago‎ WASHINGTON (Reuters) - A U.S.-led international operation disrupted a crime ring that infected hundreds of thousands of PCs around the globe with malicious software used for stealing banking credentials and extorting computer owners, the Justice ... REFILE-UPDATE 2-US disrupts major hacking, extortion ring; Russian charged Reuters - ‎2 minutes ago‎ (Corrects spelling of Deloitte in paragraph 14, not Deloite). By Joseph Menn, Jim Finkle and Aruna Viswanatha. WASHINGTON, June 2 (Reuters) - A U.S.-led international operation disrupted a crime ring that infected hundreds of thousands of PCs around the ... Zeus Gameover Botnet Disrupted In Crackdown Tied To Cryptolocker CRN - ‎33 minutes ago‎ Law enforcement agents from 10 countries have struck a serious blow to the notorious Zeus Gameover Botnet that has been a thorn in the side of the financial industry for years, and is believed to have bilked millions of dollars through online banking ... Governments disrupt botnet “Gameover ZeuS“ and ransomware “Cryptolocker” Ars Technica - ‎48 minutes ago‎ WASHINGTON, DC—The Justice Department announced Monday that over the weekend an international law enforcement operation had effectively disrupted a sprawling botnet that delivered “Gameover ZeuS”—a trojan that siphoned passwords to online ... Global law enforcement effort neutralizes botnet Washington Post - ‎1 hour ago‎ In a secret 72-hour blitz over the weekend, the FBI, several foreign governments and a host of security firms dismantled what officials say is the most sophisticated operation ever to commandeer private computers and siphon tens of millions of dollars from ... Your preferred source Hijacked Computer Network Broken Up -- Update Wall Street Journal - ‎2 hours ago‎ WASHINGTON--U.S. and foreign law-enforcement agencies in recent days broke up a network of hijacked computers that authorities say were used by hackers to tap into hundreds of thousands of bank accounts and steal at least $100 million, U.S. officials ... Minister Blaney Commends RCMP, CCIRC and International Partners for Their ... SYS-CON Media (press release) - ‎5 hours ago‎ OTTAWA, ONTARIO -- (Marketwired) -- 06/02/14 -- Today, the Honourable Steven Blaney, Minister of Public Safety and Emergency Preparedness, commended the Royal Canadian Mounted Police (RCMP), the Canadian Cyber Incident Response Centre ... See all 118 articles »

Global law enforcement effort neutralizes ‘botnet’

Ellen Nakashima 8:00 PM ET
The Justice Department has named a Russian man as the mastermind behind the malware Gameover Zeus...

Russian hacker engineered dazzling worldwide crime spree

Donna Leinwand Leger, USA TODAY 7:40 p.m. EDT June 3, 2014


(Photo: XXX)

In the Dark Web world of cyber hackers, "Slavik" achieved legendary stature years ago, then purportedly retired. Instead, authorities say he went on a dazzling crime spree that used more than 1 million infected computers to reach directly into U.S. banks and businesses to steal millions.

The details of Slavik's handiwork continued to spill out Tuesday after the FBI named him as a leader of a computer crime syndicate that spanned several continents and funneled money around the globe — often without being detected.

The FBI has identified Slavik as Evgeniy Mikhailovitch Bogachev, a Russian national whose whereabouts remain a mystery. Prosecutors say he is responsible for two of the most sophisticated and destructive forms of malicious software in existence — Gameover Zeus and CryptoLocker

His alleged bank heists topped $100 million, including nearly $7 million from a bank in North Florida, $374,000 from a PNC bank account belonging to a plastics company in Pennsylvania, and $190,800 from the bank account owned by an assisted-living facility in Pennsylvania, court papers say.

Bogachev allegedly controlled a vast worldwide network that included computers in Canada, Germany, France, Luxembourg, Iran, Kazakhstan, the Netherlands and the United Kingdom. But the backbone of the infrastructure resided in the Ukraine, according to a senior U.S. law enforcement official who was not authorized to speak publicly because of the pending court cases.

The operation to dismantle the network began on May 7 in Donetsk and Kiev, Ukraine, two cities convulsing with political violence. Ukrainian police seized and copied key computers in the network, prosecutors said. On Friday, the FBI, working with police around the world, kicked off a 72-hour operation to shut down every command-and-control computer in the Zeus network.

By Saturday, CryptoLocker had ceased working. By Monday, police had freed more than 300,000 computers from the Zeus network.

Bogachev, 30, who lives luxuriously in Anapa, Russia, a beautiful seaside resort town of 60,000 on the northern coast of the Black Sea, and often sails his yacht to various Black Sea ports, remains a fugitive.

HOW IT WORKS
Gameover Zeus or P2P Zeus, emerged in September 2011. The malicious software is designed to steal confidential banking credentials and passwords.

The heist begins with a phishing e-mail designed to entice a computer user to click on a link. The link launches the virus, which surreptitiously infects the computer. The malware includes a keylogger that can capture every keystroke made by the user and Web injects that can replace a legitimate banking site with a fake site that asks the user for confidential information, such as credit card and Social Security numbers, while still allowing it to communicate with the legitimate site.

The computer becomes part of a network of infected computers, called a "botnet," that can be controlled remotely by the criminals.

Computers in the "botnet" are infected with a code that directs it to communicate once a week with control websites located around the world. Those websites transmit orders to the various computers in the "botnet" and collect the confidential information.

On Oct. 18, 2011, Zeus infected Haysite Reinforced Plastics in Pennsylvania using a phishing e-mail purporting to be from a banking payment network. Instead, the e-mail delivered the malware that ultimately captured banking credentials for the company.

Two days later, the hackers' computers accessed the company's accounts at PNC Bank, created an electronic fund transfer and moved $198,234.93 to an account at SunTrust Bank in Atlanta. The next day, the hackers used another electronic transfer to move the money to accounts in Great Britain.

To draw attention away from the massive transfers, the hackers often created a diversion, such as a "denial of service" attack that would bombard the website with traffic in an attempt to shut it down, the law enforcement official said. While the business scrambled to protect its portal, the hackers would push the wire transfer through unnoticed for hours, the official said. By the time the bank realized the money was missing, the hackers had laundered it through so many accounts it became untraceable.

"Fraudulent wires in the amount of $1 million were very common," FBI Special Agent Elliott Peterson wrote in an affidavit.

Peterson's analysis of one U.S. bank's transaction logs found more than $8 million in Zeus-related losses over 13 months beginning in July 2012.

The syndicate also frequently targeted U.S. hospitals, taking control of the large payroll systems and redirecting direct deposits to hacker-controlled accounts, Peterson wrote.

The hackers also used the Zeus botnet to deploy CryptoLocker, the malware that encrypts a computer's data and locks it up unless a victim pays a ransom. The ransoms, which reached as high as $750, had to be paid in untraceable money cards or bitcoin. The FBI estimates CryptoLocker infected 230,000 computers, including 120,000 in the U.S.

The FBI and private computer security firms have disrupted "botnets" before. Most "botnets" rely on a small number of "command-and-control" servers operated by the hacker that issue orders to the infected computers. Law enforcement can disrupt network by capturing and shutting down the command servers. But the Gameover Zeus network was different.

Instead of a centralized command structure, Zeus made every infected computer part of the control structure, allowing them to traffic stolen data through any computer in the network. Other computers acted as relay points, sending the stolen data back to the hackers and disseminating orders for the network.

HOW THEY CRACKED THE CASE
The FBI took its first hard look at Zeus in October 2011.
A key break in the case came from a compromised computer server in the United Kingdom that FBI agents at first believed served as a communications hub for the hackers. British police secretly copied the contents of the server.

http://www.usatoday.com/story/news/n...ocker/9919985/