The GameOver Zeus botnet infected computers worldwide.

How The FBI Stopped The $100 Million GameOver Zeus Botnet

The U.S. is bringing charges against a Russian cybercrime group that operated the massive botnet called GameOver Zeus.

More than 1 million computers, 25% of them in the U.S.,  were infected with the botnet malware, which allowed hackers to access the computers to send spam, participate in distributed-denial-of-service (DDoS) attacks, and steal bank account logins.

The yellow dots on the map above shows the approximate location of infected computers.

More than $100 million was lost globally, the FBI estimates (pdf), stolen or ransomed from users who unwittingly downloaded the software through spam or phishing emails.

Two different methods were used to steal the money:

The GameOver Zeus botnet bank scam

Keylogging software embedded in GameOver Zeus tracked what a user typed into their computers, allowing hackers to harvest logins for bank accounts that could later be used to authorize transactions.

Money transfers were cloaked through the use of third-party “money mules” (pdf) that transferred the money from the compromised bank accounts to the hackers.

Cryptolocker ransomware

Not only was the network used for keylogging, however – many bot computers were also victim to the “ransomware” called Cryptolocker.

This software essentially encrypts all information on the computer, making it inaccessible. In order to unlock the encryption, victims have to pay the hackers a certain amount, sometimes as much as $300 dollars, or lose everything.

Payments were accepted in bitcoins or prepaid cash vouchers, and hackers even set up a customer service website to help victims complete the bitcoin transactions. It was apparently lucrative, garnering the hackers $27 million within the first two months of operation, according to the Washington Post.

How the GameOver Zeus botnet was stopped (for now)

In a coordinated effort in late May, more than 300,000 computers were freed from the botnet. The FBI worked along with law enforcement from more than 10 countries and more than a dozen security firms, tracking down and seizing servers in several European countries as well as Canada.

Officials called it one of the most complex cyber security operations ever performed, owing to the network’s sophistication.

Unlike a regular botnet, which will relay information from enslaved computers to a central command server, the GameOver Zeus botnet ran on a peer-to-peer basis. By distributing data among all participants in the network, it eliminated the single point of failure a command server represents.

It also had a built-in fail-safe system. An algorithm generated 1000 domain names on top-level domains a week, which all computers on the botnet tried to connect to. As long as the hackers in charge could access at least one of these domains, they could control the botnet.

In order to disable the network, the FBI had to reverse-engineer the algorithm, and figure out which domain names would be used the week it would strike.

Once it found out, it issued a restraining order (pdf) banning service providers and domain registrars from connecting users to the domain. This way, all domains went offline at once, and the hackers lost control of the network.

However, similar networks could arise later, and many computers are still infected, leaving them vulnerable to being taken over again if the hackers find a way to control the network again.

How you can make sure you’re not infected:

The U.K. non-profit Get Safe Online has published a useful guide to protecting yourself against the GameOver Zeus botnet.

If you’re looking for a simpler solution, the Finnish firm F-Secure has a one-click scanner that tells you whether your computer is infected by GameOver Zeus – however, it’s recommended to go the extra step and install a trusted scanner as listed in the Get Safe Online Guide.

What to take away from the indictment against the GameOver Zeus botnet hackers:

  • The botnet is down, but not out: hackers could easily (pdf) reassemble a similar network.

  • This case sets a potentially new legal precedent in cyber security, as pointed out by the blog Lawfare: the government was authorized by courts to send software commands to private computers that had unknowingly been infected.

  • No matter how clever the network, the hacker behind it was still caught in a very mundane way, similar to the Silk Road’s Dread Pirate Roberts: he used his real name in an email address used to log into a botnet control website, without masking his IP.

  • The mastermind, however, a Russian citizen by the name of Evgeniy Bogachev, is unlikely to go to jail – Russia has no extradition treaty with the U.S.

We measure success by the amount of understanding we deliver. If you could express it as a percentage, how much fresh understanding did we provide?
Ole Skaar