Zeus Gameover Botnet Disrupted In Crackdown Tied To CryptoLocker


Law enforcement agents from 10 countries have struck a serious blow to the notorious Zeus Gameover Botnet that has been a thorn in the side of the financial industry for years, and is believed to have bilked millions of dollars through online banking transactions.

The Department of Justice has called the move a multinational effort, seizing some of the most critical components of the global botnet, including the infected systems, spreading the CryptoLocker ransomware infection. Investigators believe the malware infections may be responsible for stealing more than $100 million globally.  

Authorities are attempting to cripple the botnet by jailing the man believed to be the sole administrator. A federal grand jury in Pittsburgh also unsealed a 14-count indictment against Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russian Federation, charging him with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as an administrator of the Gameover Zeus botnet. Bogachev also was charged by criminal complaint in Omaha with conspiracy to commit bank fraud related to his alleged involvement in the operation of a prior variant of Zeus malware known as “Jabber Zeus.”

[Related: Banking Malware: Sophistication Rises In Longtime Botnet Families]

“This operation disrupted a global botnet that had stolen millions from businesses and consumers, as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” said Deputy Attorney General James M. Cole in a statement announcing the action.

A U.S. District Court Judge For The Western District of Pennsylvania granted a temporary restraining order to seize the Zeus infected computers in the Gameover botnet and any servers communicating with them.  Several other individuals residing in Russia or the Ukraine are also being sought and are believed to assist in administering Zeus Gameover.

The Zeus operators often conducted their criminal activity by conducting man-in-the-browser attacks, seizing on a victim's financial transaction by sitting in the middle of a banking session. Once the credentials to the session were seized, the attacker could then conduct transactions without being detected by the victim or the bank.  Antifraud software is increasing used by banks to detect and prevent the threat. The court documents (.PDF) identified a regional bank in Northern Florida which lost nearly seven million dollars after the operators of the Zeus Gameover allegedly initiated an unauthorized wire transfer using stolen credentials. An Indian tribe in Washington lost more than $277,000 and a Pennsylvania-based manufacturer of composite materials also lost $198,000 in similar fraudulent wire transfer schemes.

Gameover, a botnet tied to a variant of the Zeus banking malware, was first detected in 2011. It is responsible for 38 percent of the banking Trojans detected globally, according to Dell SecureWorks researchers who have tracked Zeus Gameover. Mikhailovich allegedly tightly controlled the botnet to a tight group of criminals. The botnet is difficult to disrupt due to its support of peer-to-peer communication, which masks the location of its command and control servers and drop-off points.

The U.S. Computer Emergency Readiness Team issued an alert on Monday to provide information to victims about removing the malware infection from their systems.  

The law enforcement action is a positive sign law enforcement is making some progress against criminals behind some of the most dangerous threats to businesses and individual computer users, said Nick Peaster managing director at  Sussex, UK-based security systems integrator Preventia Ltd. Peaster said there are 4,000 or more variants of the Zeus banking Trojan which has had a significant impact on the financial industry since it was first discovered in 2007. Zeus Gameover was one of the largest and most dangerous botnets which began to have ties to destructive denial of service attacks against some businesses, Peaster told CRN.

"The botnet developed a lot of capability now," Peaster said. "Often these are temporary disruptions and new bad guys surface making this a difficult job for law enforcement."

PUBLISHED JUNE 2, 2014