Information security now!
Operation Tovar - authorities took actions against the Gameover ZeuS botnet
03.06.2014 klo 14:18
The police operation, which was named "Operation Tovar", is part of authorities' battle against a network of criminals spreading malware. The operation is implemented in international cooperation. The participants in the operation were the United States federal police FBI, Europol, NCA from the UK, as well as the information security companies CrowdStrike, Dell SecureWorks, Symantec, Trend Micro, F-Secure and McAfee, and researchers from European universities.
As a threat, Gameover ZeuS has been difficult to block. Normally, malware send messages to command-and-control servers in possession of criminals in order to receive commands and to forward data stolen from users back to the creators. Taking over command-and-control servers or directing the communications intended for these servers to a server administered by a safe party has been a conventional method to disturb malware networks. This method is called "sinkholing". Gameover ZeuS contains a p2p (peer-to-peer) functionality which makes the disruption of command-and-control servers ineffective. The functionality enables that infected computers can receive commands also in situations where a command-and-control server does not reply to commands. Malware in infected computers maintain a comprehensive list of other infected computers and are able to distribute upgrades, configuration files and forward stolen data directly to other computers without a centralised command-and-control server. This feature is the reason why the blocking of Gameover ZeuS is very difficult because removing the command-and-control server from the equation has not prevented the malware from working. The exact method that has successfully been used to attack the malware exploiting p2p network traffic has not been published. However, the FBI states in its press release that the malware was attacked by directing the communications between the malware to the computers that were in possession of authorities and researchers. The goal was to pass the information about the infection and instructions on how to remove the malware to the owners of infected computers. The FBI ensures in its message that the personal data of the owners of the computers infected as a result of the operation were not touched.
Gameover ZeuS belongs to the ZeuS malware family. It is estimated that the number of the computers that the Zeus malware have infected around the world is somewhere between 500,000 and 1,000,000. The Zeus malware are primarily used for stealing banking data and for implementing so-called Man In The Browser attacks in which incorrect data is fed direct to the user's browser for example during an online bank session. According to some estimates, a total of $ 100 million has been successfully stolen from bank accounts by means of the attack. The attack is one of the most advanced forms of modern cyber crimes. A computer infected with Gameover ZeuS can also be used as part of decentralised denial-of-service attacks or for phishing the user's passwords and usernames. In addition, the computer can be used for sending spam. The malware digs deep into the operating system which means that it is difficult to remove or detect the malware.
Usually, Gameover ZeuS infects computers via targeted malicious messages. Targeted malicious messages are particularly effective because they are often disguised as trustworthy, genuine messages by using obtained background information on victims. Criminals gather information on their victims from open sources in the internet, such as from companies' websites, social media services, as well as from other sources where people share information about themselves. A targeted malicious message may be sent to a company's e-mail address, and it can be disguised as a message concerning the activities of the company. However, a file attached to the message contains malware that contaminates the computer.
Gameover ZeuS is also used as a mechanism to spread other malware. One of the malware that has been spread like this is Cryptolocker which encrypts the user's files and blackmails its victims for money for decrypting the files. If the user does not pay the ransoms demanded by the malware, the encryption key will be destroyed and the user's access to own information will be blocked. On 11 November 2013, FICORA's NCSC-FI published an Information Security Now! article about CryptoLocker. This subject has also been discussed in Information security review 4/2013 in the "New phenomena" section.
The United States Justice Department has issued a warrant on the arrest of Evgeniy Mikhailovich Bogachev from Russia. Bogachev is suspected for creating both CryptoLocker and Gameover ZeuS. Bogachev has also used online names “lucky12345", “slavik" and “Pollingsoon".
NCSC-FI is not aware of Gameover ZeuS and CryptoLocker campaigns that would be specifically targeted at Finland or Finnish web users. However, internet is a global medium, and the concept of national borders is indeterminate in the web. This means that also Finnish web users are exposed to the threats created by various malware. Same general guidelines apply also to protecting from Gameover ZeuS and CryptoLocker as they apply to protecting from other malware.
- Keep your operating system and software updated
- Use up-to-date antivirus software
- Do not open e-mail attachments if you are not sure who the sender of the message is
- Take back-up copies of your files on a separate disc which you store in a safe place.
If your computer is infected by malware, you should take at least the following measures:
- Change your password in all the services that you use
- Remove malware with a suitable software tool or, if necessary, contact a professional
US-CERT - Gameover ZeuS: https://www.us-cert.gov/ncas/alerts/TA14-150A
US-CERT - CryptoLocker: https://www.us-cert.gov/ncas/alerts/TA13-309A
The Finnish Communications Regulatory Authority (FICORA)
The National Cyber Security Centre Finland (NCSC-FI)
Itämerenkatu 3 A
P.O. Box 313
Media contacts by telephone +358 295 390 248