Feds shut down $100 million malware network

Today, federal officials announced new charges against the GameOver Zeus botnet, together with coordinated seizures that appear to have stopped the network cold. GameOver Zeus infected as many as a million Windows computers, harvesting user credentials and executing fradulent wire transfers. Today's federal complaint named Russia's Evgeniy Mikhailovich Bogachev as mastermind of the network, tracked down with the help of law enforcement agencies across eleven countries.

"Gameover Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt," the FBI's Robert Anderson Jr. said in a statement.

Feds shut down $100 million malware network

Well, score one for the good guys! The article goes on to state this botnet was also involved in using CryptoLocker, which people may recall, is one of the nastier buggers operating in the wild recently. That one would encrypt your system and then ransom it back to you, if you paid the right amount.

All wasn't what it seemed with that as it was, and it did untold damage. My own school's IT/CIS department was having to screw with some of the peripheral fallout from that specific gem.

They also note this botnet has been active using a complex system of P2P since 2011. Interesting news on that, and downright unnerving on the power and impact of such organized .. yet distributed computing.

As the story quote mentions though, this was apparently an effort with 11 other nations assisting. I've wondered at times, what it takes to go after the really BIG problems on the Internet.

I guess now we know one example. That's what it takes.

---

U.S. Leads Multi-National Action Against “Gameover Zeus” Botnet and “Cryptolocker” Ransomware, Charges Botnet Administrator

^^ That is a D.O.J site with the official release and links to the full documents.

Kind of gets me. The Feds do nothing till the company gets really big. I suppose they can seize more assets that way. That way they possibly don't have to account for where the money goes. Neat...I hope they at least invite me for a free BBQ.

a reply to: Wrabbit2000

Funny you should post this thread because I posted one not long ago which had a link to skynews saying that an attack was coming in 2 weeks time. Here is my thread:

www.abovetopsecret.com...

So, this means my thread is now redundant if they've found the guy?

BTW MY THREAD WAS POSTED 1 HOUR 40 MINS BEFORE YOUR THREAD AND SKYNEWS STILL HAS IT AS THERE HEADLINE STORY.

I'm not sure I understand the contrast, even within Sky's own article. They acknowledge at the end that the FBI has taken control of the Botnet involved and cut off communication with it from the bad guys ..but that, at the end of an article seeming to suggest a two week window to prepare?

Prepare for what, exactly..if they just busted the guys who did it all? I mean, I checked and Yup..your source and mine are both the same day. Your article is quoting someone inside the computer security establishment and I'd think mine was wrong if not for the Justice Department supporting link with far more detailed coverage of what the media did.

Still...They are two apparently valid stories on the same day, apparently reporting two different directions? I'm missing something too....

a reply to: Wrabbit2000
Can't ever really assume you got all of them, maybe that is it?

a reply to: TKDRL

Well, it could be or it could be that one story follows the other with some from the earlier threat position not being aware of what was happening on the wider level? I really don't know... This is the opening line from the D.O.J. official release on it.

The Justice Department today announced a multi-national effort to disrupt the Gameover Zeus Botnet – a global network of infected victim computers used by cyber criminals to steal millions of dollars from businesses and consumers – and unsealed criminal charges in Pittsburgh, Pennsylvania, and Omaha, Nebraska, against an administrator of the botnet. In a separate action, U.S. and foreign law enforcement officials worked together to seize computer servers central to the malicious software or “malware” known as Cryptolocker, a form of “ransomware” that encrypts the files on victims’ computers until they pay a ransom.

Source (emphasis by me)

It looks like two different things were in play and perhaps not everyone from both sides of the effort had the same playbook? In fact, toward the end of the listing from Justice is this:

In addition to the disruption operation against Gameover Zeus, the Justice Department led a separate multi-national action to disrupt the malware known as Cryptolocker (sometimes written as “CryptoLocker”), which began appearing about September 2013 and is also a highly sophisticated malware that uses cryptographic key pairs to encrypt the computer files of its victims. Victims are forced to pay hundreds of dollars and often as much as $700 or more to receive the key necessary to unlock their files. If the victim does not pay the ransom, it is impossible to recover their files.

Again, emphasis added by me there. It sounds like separate things running parallel? A complex story here to be sure.

a reply to: Wrabbit2000
Usually is pretty complicated. A lot of overlap goes on, because people that like to do nefarious things often have their hands in many cookiejars so to speak. Not only the internet organized crime, any organized crime really. Usually try to branch out as much as possible.

Having read both articles & the DOJ report, I can't see any reason for a specific 2 week warning period. One thing I expect to happen is that hackers will be port scanning for computers having files associated with the malware that was being used by Game Over Zeus, and then taking up where the original ring left off. Individual computers could still prove a lucrative target, even if hackers couldn't reroute all responses to a new central location.

Maybe the FBI decided to monitor the botnet for 2 weeks, & then end their surveillance of it? Or maybe that's just someone's guesstimate of how long it would take for someone else to sniff out many of the infected computers in order to set up & use a new botnet for other nefarious purposes. They're also handy for DDOS attacks against websites, among other things.
In case this is a new acronym for anyone here, DDOS = Distributed Denial Of Service.

a reply to: BuzzCory

Perhaps the botnet malware has a deadman switch? If it doesn't get it's instructions, it takes down the computers it has infected. It's something one shouldn't rule out as a possibility.

a reply to: pauljs75

Yeah, thats what I was thinking last night... that its on a timer or something (like a bomb timed to go off).

According to this report today on skynews, the russian is still at large and hasn't been caught.

news.sky.com...

I really don't understand this, saw the breaking news yesterday on BBC that we have "2 Weeks to Prepare". That struck a chord with me straight away.

Then i read this article in the Independent:

www.independent.co.uk...

"the FBI managed to take control of servers used to control the “highly sophisticated” malicious software" - if they have control of the servers, how will there be another attack, whats the problem with just wiping the servers clean and eradicating the whole thing?

And then this made me suspicious - "which has been tailored by a criminal gang based in Russia and the Ukraine"

What a specific area of the world to concentrate on, cause there's no other reason for the US etc to warrant going into that area.