US-Led Posse Scatters GameOver Zeus Botnet
An estimated 500,000 to 1 million computers worldwide are infected with GOZ, and about 25 percent of them are in the U.S. Total losses worldwide are not known, but it's believed that U.S. victims alone lost $100 million to the Trojan. GOZ's P2P architecture makes it pretty robust, and it's "very likely" that this takedown is just a stopgap measure, said Trustwave's John Miller.
Jun 4, 2014 6:07 AM PT
A worldwide operation led by the United States involving law enforcement, private sector cybersecurity firms and software vendors has disrupted the GameOver Zeus botnet for now.
The U.S. also has filed criminal charges in Pittsburgh, Penn., and Omaha, Neb., against Russian national Evgeniy Mikhailovich Bogachev, and has charged a number of other suspects in the Russian Federation and the Ukraine.
Whether these men will be extradited to the U.S. for trial is not yet clear.
GameOver Zeus' Game
GameOver Zeus, or GOZ, is one of many variants of the notorious Zeus Trojan, first identified in July 2007.
Zeus primarily is used to steal banking information. It also is used to install CryptoLocker ransomware, which encrypts files on victims' computers. The malware writers demand hundreds of dollars for unencrypting the files.
GOZ also is known as P2P Zeus, because it uses a robust peer-to-peer network, unlike other versions of the Trojan, which use a centralized command-and-control server.
Further, GOZ has incorporated Domain Generation Algorithm techniques, which are "very sophisticated," according to Jeremy Demar, director of threat research at Damballa.
"If P2P doesn't work, which is often the case in corporate networks, the bot uses DGA," Demar told TechNewsWorld.
How GOZ Works
GOZ hits victims when they use an unprotected PC to visit a malware-ridden website. The GOZ operators also use Cutwail, one of the largest and most durable botnets around, to phish potential victims.
The botnet may launch distributed-denial-of-service attacks to create a diversion when withdrawing large sums of money from victims' accounts.
Once a computer is infected, the botnet begins logging the keys typed, thus stealing passwords and private account information. This data is sent to the botnet's C&C server and stored there for later use.
Some variants of GOZ disguise them as encrypted .EXE files to get around firewalls, Web filters and network intrusion-detection systems. GOZ also deploys Web injects, which let it modify the HTML of a target website.
Security researchers estimate that between 500,000 and 1 million computers worldwide are infected with GOZ. About 25 percent of them are in the U.S.
Total losses worldwide are not known, but it's believed that U.S. victims alone lost US$100 million to the Trojan.
Breaking Down the Takedown
It took authorities nearly two years to hit GOZ because "takedown of a P2P command-and-control network ... requires a coordinated, global effort to make enough of an impact against the network such that it ... disrupts the ability of the botnet operators to work around the takedown," John Miller, security research manager at Trustwave, told TechNewsWorld.
The U.S. obtained civil and criminal federal court orders to redirect victim computers' automated requests to servers set up by law enforcement. The IP addresses of the victim PCs were collected and sent to US-CERT for distribution to other countries' CERTs and private industry to help their owners remove the malware.
The GOZ and CryptoLocker takedowns "are perhaps the largest experiment to date in global coordination and management of mass cyberinfections," Demar said. "Current priorities are to block, patch and measure. The data will be used to continually improve the security community's response in future campaigns."
The Many Lives of GOZ
GOZ's P2P architecture makes it pretty robust, and it's "very likely" that this takedown is just a stopgap measure, Trustwave's Miller said.
"A takedown of their C&C does little to prevent them from rebuilding the network in much the same way they had built it originally," he explained.
Further, Zeus "is a tool with many versions used by many people," Damballa's Demar said. "You can't wipe it out in any single action. In addition, the source code was leaked years ago, making it easy for threat actors to spin off different variants."
Authorities say consumers have two weeks to ensure their PCs are protected before the operators of the GOZ Trojan resume their activities following their setback.