On Monday, the U.S. Department of Justice announced that, under an expansive effort involving the FBI, DOJ, international law enforcement and security firms, disruption of the Gameover Zeus botnet was possible.
Criminal charges against the 30-year-old Russian, Evgeniy Bogachev, were unsealed Monday in Pittsburgh, Pa., and Omaha, Neb., according to the DOJ release.
In Pittsburgh, Bogachev was charged with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as an administrator of the Gameover Zeus botnet, which consists of a network of 500,000 to one million infected computers running the Windows platform, the release said. In Omaha, federal prosecutors charged Bogachev with conspiracy to commit bank fraud related to an operation spreading an older variant of Zeus, dubbed “Jabber Zeus.”
Gameover came on the scene in the middle of 2011 and has similar properties to older variants of Zeus, such as logging keystrokes to steal banking credentials, but it also comes packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions. In February, Dell SecureWorks Counter Threat Unit (CTU) named Gameover the most active banking trojan in 2013.
Now, federal prosecutors believe they've pegged a central figure behind the botnet.
Boachev, who remains at large, was described as a “leader of the tightly knit gang of cyber criminals based in Russia and Ukraine that is responsible for the development and operation of both the Gameover Zeus and Cryptolocker shemes,” the DOJ release said.
The suspected botnet administrator also goes by the online alias, “Slavik,” “Pollingsoon,” and “Lucky12345.”
Through investigations, law enforcement found that the Gameover infrastructure was also used to distribute Cryptolocker, ransomware believed to have infected more than 234,000 computers worldwide since it appeared last fall.
Cryptolocker notably made its way on the computer systems of a Vermont chamber of commerce in February, and even impacted a Massachusetts police department last November, inciting the force to pay a $750 ransom to recover computer files that the malware encrypted.
According to the Monday DOJ release, prosecutors found that phishing emails, designed to look like voicemail or shipping confirmation messages, were often used to spread Cryptolocker to unsuspecting users.
With the Gameover takedown efforts, the FBI estimates that is has disrupted a botnet responsible for more than $100 million in losses.
On Monday, Adam Meyers, Vice President of Intelligence at CrowdStrike, told SCMagazine.com that the disruption showcased a “pretty substantial effort” by law enforcement and the research community, as Gameover Zeus is a “complex piece of infrastructure.”
CrowdStrike, along with Dell SecureWorks, played a major role in the technical takedown of the botnet.
In particular, the Gameover Zeus malware utilized a domain-generation algorithm (DGA), which allows infected machines to generate a list of domain names for control hub communication and, therefore, conceal the botnet's infrastructure.
“We reversed engineered the malware and understood what the domain-generation algorithm [of Gameover] looked like to shut down all the domains that it might call out to,” Meyers said of the takedown efforts.
According to DOJ, the U.S. obtained civil and criminal court orders to redirect botnet communications from attacker-operated servers to “substitute servers” established by law enforcement.
In a statement, FBI Executive Assistant Director Robert Anderson Jr. said that that the Gameover Zeus botnet was the “most sophisticated botnet the FBI and [its] allies have ever attempted to disrupt.”
“The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement, and within the U.S. government,” Anderson said.
In addition to the U.S., law enforcement in 10 countries, including Canada, Australia, Germany, France, the U.K., and Ukraine, were involved in the operation.