Shuttering Gameover: Temporary Success

Cryptolocker/Gameover Infection Rates Plummet
Shuttering Gameover: Temporary Success

There's good news following this week's global law enforcement takedown of the Zeus Gameover Trojan and Cryptolocker ransomware campaigns: The number of new infections has become "very low," if not fallen to zero. But related attacks could quickly resurge once cybercriminals tweak their attack techniques to route around the takedown.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

So says Morten Kjaersgaard, CEO of Copenhagen, Denmark-based Heimdal Security - part of CSIS Security Group - which has long been tracking related infections.

Kjaersgaard says the falloff in new Cryptolocker infections follows a peak of 8,000 infections per day at the end of May. Likewise, while more than 50,000 new PCs were being infected and added to the Zeus Gameover botnet daily at the end of May, "as of last week, we are tracking close to zero, or in the low hundreds of new infections per day," he says.

Poland's Computer Emergency Response Team, CERT Polska, likewise reports seeing a sharp decline in Gameover command-and-control communications in recent days.

Tracking Gameover Command-and-Control Communications

Credit that decline to Operation Tovar, a joint effort - conducted by the U.S. Federal Bureau of Investigation, Europol and Britain's National Crime Agency - that's temporarily shut down the servers related to the Cryptolocker ransomware and the notorious banking Trojan known as Zeus Gameover. U.S. authorities also filed charges this week against Evgeniy Mikhailovich Bogachev (a.k.a. Slavik), a Russian citizen who they say is the mastermind behind the Cryptolocker and Gameover gang, which has stolen more than $130 million.

Last year, about two-thirds of all Gameover infections were in the United States, according to the security firm Trend Micro. Kjaersgaard says that the U.K. and Germany have also "been hit hard" by the malware, which is often distributed together with Cryptolocker.

Stolen: $130+ Million

Most related infections begin after victims open a malicious attachment received in a spam message, according to Trend Micro. The malware typically then downloads a variant of GOZ or another form of Zeus - a.k.a. Zbot - which then downloads Cryptolocker ransomware that encrypts files on an infected PC using AES-265 and RSA encryption. The ransomware then directs victims to an online portal and demands anywhere from $300 to $500 for U.S. victims or 300 euros to 500 euros for European victims - all ransoms are payable in bitcoins - to receive a key to decrypt the files. "Since the AES key is hidden using RSA encryption and the RSA private key is not available, decrypting the files is not feasible" - unless victims pay the ransom - according to Trend Micro's Cryptolocker analysis.

The FBI says that at least 234,000 people worldwide have been victims of the ransomware, and $30 million in ransoms were paid between September 2013 and December 2013.

Zeus Gameover, which was discovered in September 2011, is based on the Zeus financial malware source code, which began circulating on underground hacking forums earlier that year. The developer behind Gameover, however, has added additional capabilities, including the ability to communicate with command-and-control servers via P2P, which makes related infections difficult to spot and eradicate.

Gameover, like many other types of banking malware, can also use Web injections to hook into Windows processes and gain direct access to raw HTTP data. Those capabilities allow the malware to transfer money from victims' accounts in the background, while displaying normal-looking online banking pages. The FBI says that Gameover victims include an unnamed Florida bank, which lost almost $7 million in a single fraudulent wire transfer initiated by the Gameover gang.

Respite: Only Temporary

Unfortunately, the Cryptolocker and GOZ respite likely won't last long.

Britain's National Crime Agency, notably, warned in an alert Monday that affected individuals have just two weeks to excise related infections, and noted that at least 15,500 UK computers appear to be infected with GOZ (a.k.a. GOZeus, P2PZeuS). The agency also offered links to free scanning and removal tools, and said that service providers may also send warning letters to subscribers whose PCs appear to be infected with either Cryptolocker or Gameover.

The two-week respite reflects authorities' best guess of how long they can continue to disrupt criminals' command-and-control channels before they regroup and resume their attacks. "There's been some operational activity that's been undertaken [by police], and that's severed the communications between the main criminal servers and the infected computers that it's trying to communicate with," an NCA spokeswoman says.

But she acknowledges that related attacks could resume at any time. "It could be shorter than two weeks, it could be longer than two weeks, but until they do, that's the opportunity that people have to update their software, clean their computers, ... so that's why we're encouraging people to do that now," she says, emphasizing that, of course, computer users should also be doing that on a regular basis.

Heimdal Security's Kjaersgaard likewise says it's impossible to predict when related attacks might resume. "Nobody knows. The technology now exists in the market and since it is just like the flu, then it's only a matter of when someone starts spreading it again," he says. "It will probably be in a slightly different form though."

Attackers will need to take a different approach if they want to avoid having their operations quickly knocked offline again by authorities. "This operation has shown that authorities and IT security companies are now better equipped than ever before to act quickly if similar activities should occur," Kjaersgaard says.

Even so, restarting the botnet would take little effort, says Sean Sullivan, a security researcher at Finland-based anti-virus vendor F-Secure. "The infections will remain until removed via an anti-virus tool because GOZ uses very solid encryption to protect itself from being hijacked," he says. "Being peer-to-peer, the botnet can be recovered with access to only a few nodes; if updated configuration files are injected, they'll eventually spread P2P across the entire botnet, given time."

With luck, however, the takedown may have also spooked Slavik. "The question is, can GOZ's admin risk [restarting the botnet]?" he says. "While technically possible, doing so may yield clues as to his location, and that could prompt an arrest. Maybe he'll opt to lay low for a while."

In the meantime, anyone with a PC that's been infected by Cryptolocker or Gameover needs to act quickly. "Remediation efforts are under way. IP addresses related to GOZ are being directed to removal tools," Sullivan says in a blog post. "Spread the word, and with any luck, the Gameover botnet will implode."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network