Gameover ZeuS

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

The original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim's computer. The infected computer was then integrated into a botnet, considered to be one of the most sophisticated and secure botnets in the world at the time. The GOZ botnet was particularly notable for its decentralized, peer-to-peer infrastructure, which combined with other security measures such as rootkits made shutting down the botnet extremely difficult. The botnet's activities were additionally directed by an organized crime group headed by Bogachev, which was primarily based in Russia and Eastern Europe. The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks, used as both retaliation and as a form of distraction during thefts.

In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar. Bogachev was indicted shortly after and a reward of $3 million was issued for information leading to his arrest, at the time the highest reward for a cybercriminal in history. Less than two months after Operation Tovar was executed, a new strain of GameOver ZeuS was discovered. Named "newGOZ", it lacked peer-to-peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ. The involvement of the original GameOver ZeuS administrators in newGOZ's activity since its creation is disputed.

Background and early history

Zeus

Zeus is a family of Trojan horses and related crimeware which first appeared in 2007. The chief characteristic of Zeus variants are their ability to integrate infected machines into botnets, systems of multiple devices that could be controlled remotely through the malware.

The creator and main developer of the original Zeus was Evgeniy Bogachev, also known as "lucky12345" and "slavik". The original version of Zeus was "kit malware"—a prospective cybercriminal would purchase a license to use a copy of Zeus or obtain an inferior, free version. With the license, the purchaser could use Zeus to make their own Trojan, which they could use as they pleased. In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor called SpyEye. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus. In fact, Bogachev had not retired, but had transitioned from selling Zeus as kit malware to the general criminal underground to selling access to fully-completed versions of the Trojan to a narrower clientele. This "private" version of Zeus became known as Zeus 2.1, or Jabber Zeus. Jabber Zeus-facilitated crimes were run by an organized crime syndicate, of which Bogachev was a key member, which largely dissolved in 2010 due to police action.

Origins and names

GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1.: "Then, a year later, on September 11, 2011, basically, they upgraded from this 2.1 variant to peer-to-peer ZeuS, which internally is known as Mapp, version number 13. They had a number of earlier versions which were just for development and testing." In May 2011, the source code for Zeus was leaked, resulting in a proliferation of variants. Security researchers have variously attributed the leak to Bogachev or Aleksandr Panin, the creator of SpyEye. Cybersecurity advisor Sean Sullivan noted that the leak was convenient for Bogachev, who could refocus on new criminal ventures whilst investigators were distracted by the new Zeus variants.

Researchers became aware of the GameOver ZeuS botnet in 2011. In January 2012, the FBI issued warnings to companies instructing them to look out for GOZ. The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel. Other names have included peer-to-peer ZeuS, ZeuS3, and GoZeus. The malware was known within Bogachev's crime network as Mapp 13, "13" being the version number.

Criminal activity

''Modus operandi'' and management

GameOver ZeuS was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies. The emails would contain a link to a compromised website from which the malware was downloaded. These spam emails were sent via a different botnet, Cutwail, that was frequently rented out by cybercriminals to send spam.

Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of the business club, mostly Russians and Ukrainians. The network also employed technical support staff for the malware. The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar. Business club members did not exclusively use GOZ and were often members of other malware networks. Nonetheless, the United States Department of Justice (DOJ) described the group's members as "tightly knit".

In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in the US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work. Money mules were not aware that they were handling stolen funds or working for a criminal syndicate.

The business club controlled all GameOver ZeuS activity from 2011 to 2014. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out the botnet were known to exist.

Bank theft and interface

GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via keystroke logging. However, the malware was capable of using browser hijacking to bypass two-factor authentication, and its interface had a special "token grabber" panel to facilitate these man-in-the-browser attacks, titled "World Bank Center" and with the slogan "we are playing with your banks". By presenting the victim with a false version of their bank's login page, a criminal could request whatever code or information was needed to log into the victim's account. Once the victim "logged in" to the false page with this information, they would receive a "please wait" or error screen while the credentials were sent to the criminals. With this information, the malware operators could access the bank account and steal money, usually hundreds of thousands or millions of dollars. In one instance, $6.9 million was stolen from a single victim. In 2013, GOZ accounted for 38% of thefts pursued in this manner.

Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to divert the attention of network administrators away from the theft. The DDoS attacks were performed using a commercially-available kit named "Dirt Jumper". Stolen money was routed through a large network of money mules before it made it to the criminals, hiding its origin and destination from authorities. By June 2014, more than $100 million was stolen in the United States alone.

The siphoning of money followed the day-night line, beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team was west of them when their shift ended. The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the China–Russia border.

The interface controlling the botnet could be used to read data logged by the bots and execute commands. In addition to the token grabber panel, another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select a "destination account" that money would be indirectly sent to. Botnet managers were also allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers.

CryptoLocker

In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key. Josephine Wolff, assistant professor of cybersecurity policy at Tufts University, has speculated that the motivation behind pivoting to ransomware was for two reasons. Firstly, ransomware was a more secure means of making money from GOZ than bank theft, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules, whose loyalties were in question because they did not know they were working for criminals. Secondly, ransomware took advantage of the criminals' access to data on infected computers that was significant to victims but was of no immediate value to criminals, such as photographs and emails. Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from.

Between 200,000 and 250,000 computers were attacked by Cryptolocker beginning in 2013. The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen. However, Michael Sandee, one of the researchers who helped take down the original GameOver ZeuS botnet, has given a much lower estimate of $3 million for the entire duration of CryptoLocker's activity. Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks.

Espionage

Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine, and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government. The botnet in Ukraine only began to conduct such searches after the country's pro-Russian government collapsed amidst a revolution in 2014. OPEC member states were also targeted. Searches were tailored to the targeted country: searches in Georgia sought information on specific government officials, searches in Turkey looked for information regarding Syria, searches in Ukraine used generic keywords such as "federal security service" and "security agent", and searches in the US looked for documents containing phrases such as "top secret" and "Department of Defense". Botnets used for espionage were run separately from those used for financial crime.

It is unclear who specifically was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Sandee has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep the espionage secret. Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended, despite living openly and under his own name in Russia.

Technical features

Botnet structure

Botnet-building capabilities were common to all Zeus variants; however, iterations of the malware prior to GameOver ZeuS created centralized botnets, wherein all infected devices were connected directly to a command-and-control (C2) server. GOZ distinguished itself from these prior instances by utilizing a decentralized, peer-to-peer (P2P) infrastructure, in which infected computers mostly communicated with each other rather than a C2 server. At the peak of GOZ activity from 2012 to 2013, the botnet comprised between 500,000 and one million compromised computers.

The botnet was organized into three layers. The lowest layer was made up of the infected machines, some of which were manually designated "proxy bots" by the criminal group. Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of dedicated servers owned by the group. The second layer served to create distance between the infected machines an the highest layer, from which commands were issued and to which data from the infected machines was sent. This infrastructure made tracing the botnet's C2 servers more difficult, as the botnet herders were only ever directly communicating with a small subset of infected computers at a time. Although the botnet as a whole was structured like this, the network was partitioned into several "sub-botnets", each run by a different botmaster. Up to 27 of these sub-botnets existed, but not all were actively used, with some existing for debugging purposes.

Security

GOZ contained several security features designed to prevent full analysis of the botnet—particularly by restricting the activities of crawlers and sensors—as well as to prevent shutdown attempts. Many of these features were implemented to counter attack methods commonly used against prior iterations of Zeus, and GameOver ZeuS was noted by security researchers Dennis Andriesse and Herbert Bos as a "significant evolution" and more resilient than its predecessors. The effectiveness of these mechanisms led GOZ to be considered a sophisticated botnet, with US Deputy Attorney General James M. Cole calling it “the most sophisticated and damaging botnet we have ever encountered”. Cybersecurity researcher Brett Stone-Gross, who was brought on by the Federal Bureau of Investigation (FBI) to analyze GameOver ZeuS, similarly acknowledged that the botnet was well-secured against the efforts of law enforcement and security experts.

Crawlers were inhibited via various means. Each bot had fifty peers; however, a bot that was requested to provide a list of its peers would only return ten. Additionally, requesting peer lists was rate-limited such that rapid requests from an IP address would result in that address being flagged as a crawler and automatic blacklisting, halting all communications between the flagged IP and the flagging bot. Each bot also had a pre-existing list of blacklisted addresses known to be controlled by security organizations.

Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address. The effect of this was to prevent individuals or groups with one IP address from carrying out sinkholing attacks on the botnet. GOZ's botmasters were known to have carried out DDoS attacks in response to sinkholing attempts.

In the event a GOZ bot was unable to contact any peers, it would use a domain generation algorithm (DGA) to re-establish contact with the C2 servers and obtain a new list of peers. The DGA generated one thousand domains every week and each bot would attempt to contact every domain; this meant that if the botnet's current C2 servers were in danger of being shut down, the botmasters could set up a new server using a domain in the generated list and re-establish control over the network. The servers themselves were provided by a bulletproof hosting service, and were difficult to take down because the servers did not have actual IP addresses; traffic was routed from virtual IP addresses that did not correspond to any device. Taking down the addresses, therefore, would not affect the servers.

Communications between bots were encrypted. The algorithm used for this changed over time: prior to June 2013, GOZ used a XOR cipher, but new bots after June 2013 used RC4, which made infiltrating the botnet more difficult. Additionally, important communications coming from the botnet's managers were signed using RSA.

A special "debug build" of the malware existed that provided detailed logs regarding the network. The debug build existed to garner insight into security researchers' activities against the botnet and develop appropriate responses. The malware itself was also difficult to remove, owing to a rootkit contained in it. The rootkit, Necurs, was taken from a different piece of malware.

Investigations, takedown, and re-emergence

Operation b71

On March 25, 2012, Microsoft announced that GameOver ZeuS had been "disrupted in an unprecedented, proactive cross-industry operation" codenamed "Operation b71". The operation was widely criticized by computer security experts for violating data privacy norms, inadvertently taking down legitimate domains, and interfering with criminal investigations into the botnet's creators and managers, including a blog post from Sandee characterizing the operation as "irresponsible" and "a major setback". Operation b71 ultimately failed to shut down GameOver ZeuS due to its peer-to-peer architecture. Two other attempts by security researchers between 2012 and January 2013 to take down the botnet were also unsuccessful.

Operation Tovar

The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed "Operation Tovar", helmed by the FBI and also involving around 20 companies and private institutions, including CrowdStrike, McAfee, and Carnegie Mellon University. Planning for Operation Tovar began in 2012, with the FBI beginning to work together with private cybersecurity firms to combat GOZ. By 2014, authorities in the United Kingdom had also provided the FBI with information regarding a GOZ-controlled server in the UK containing records of fraudulent transactions. The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ's botnet infrastructure. Bogachev was identified as the head of the GameOver ZeuS network by cross-referencing the IP address used to access his email (which had been provided by a tipster) with the IP used to administer the botnet; although he had used a virtual private network (VPN) to obscure his address, Bogachev had used the same one for both tasks. The Operation Tovar team also reverse-engineered the malware's DGA, allowing them to preempt any attempts to restore the botnet and redirect such attempts to government-controlled servers. GOZ's C2 servers in Canada, Ukraine, and Kazakhstan were seized by authorities, with Ukraine being the first to do so on May 7, 2014. US officials wanted Ukraine to begin its seizures on May 29, but they were pushed forward due to the Russo-Ukrainian War.

With preparations finished, Operation Tovar began on May 30 and was completed within four to five hours. The operation was a sinkholing attack that cut off communication between the bots and their command servers, redirecting the communication towards the aforementioned government-controlled servers. Since the GOZ-controlled domains were registered in Russia, outside American jurisdiction, law enforcement ordered US-based internet service providers to direct attempts to contact GOZ-controlled domains towards FBI-controlled servers before the queries reached Russia. The technical details of the operation largely remain classified. Additionally, law enforcement in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine, and the United Kingdom began seizing key GOZ servers on May 30.

On June 2, the United States Department of Justice announced the outcome of Operation Tovar. An indictment against Bogachev was also unsealed that same day. However, authorities also warned that the botnet would likely return within two weeks. On July 11, the DOJ stated that as a result of the operation, GOZ infections were down 32 percent and that nearly all infected computers had been "liberated from the criminals' control". On February 24, 2015, the Justice Department announced a reward of $3 million for information leading to Bogachev's arrest, at the time the largest-ever reward for a cybercriminal. Bogachev remains wanted as of 2024.

Re-emergence as "newGOZ"

Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails. Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux, a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies. The origin of and motives for creating the new variant, dubbed "newGOZ", were unclear; Sandee believed newGOZ to be a "trick" to give away the malware's source code and create a distraction for Bogachev to disappear into. However, Malcovery's initial report claimed that the new Trojan represented an earnest attempt to revive the botnet. The original GameOver ZeuS and newGOZ botnets were separate entities; the list of domains generated by their respective DGAs were different, despite the algorithms being similar, and the original GOZ botnet was described by Malcovery as still "locked down".

The new malware was divided into two variants. The variants differed in two areas: the number of domains generated by the DGA, with one generating 1,000 domains per day and the other generating 10,000; and the geographic distribution of infections—the former variant primarily infected systems in the US, and the latter targeted computers in Ukraine and Belarus. On July 25, 2014, it was estimated that 8,494 machines had been infected by newGOZ. Other GOZ variants, including "Zeus-in-the-Middle", which targets mobile phones, have been reported as well. As of 2017, variants of Zeus constitute 28% of all banking malware. However, Sandee has claimed that much of Zeus's market share is being taken away by newer malware.

See also

* Timeline of computer viruses and worms
Similar Russian and Eastern European cybercrime groups:
* Avalanche, used botnets and email spam
* Berserk Bear, advanced persistent threat known to employ cybercriminals
* REvil, employed ransomware
Similar botnets:
* Conficker, an extremely prolific botnet at its peak
* Sality, another peer-to-peer botnet
* Torpig, another botnet spread through Trojan horses
* Tiny Banker Trojan, derived from Zeus
* ZeroAccess botnet, also P2P and spread via Trojans

Notes and references

Notes

References

General sources

*
*
*
*
*
*
*
*

External links

Wanted poster of BogachevIndictment of Bogachev for ZeuS-facilitated crimes

{{Hacking in the 2010s

Botnets
Email spammers
Peer-to-peer computing
Windows trojans
Hacking in the 2010s