The Gameover Zeus or GOZ botnet is a well known malware that is capable of stealing sensitive banking and financial information and details. It fist appeared in the year 2007 and then changed its form from time to time. The second version of Zeus malware shifted its base from a centralised command and control server to peer-to-peer in September 2011. This has made it very difficult to apply countermeasures against Zeus that is now known as Gameover Zeus (GOZ) botnet.
It has been reported that the US Justice Department has indicted a Russian national with writing computer code used to compromise banking systems and assist others in stealing banking credentials. The government has unsealed a 14-count indictment accusing Russian national Evgeniy Mikhaylovich Bogachev, who authorities said is known online as Lucky12345, of involvement in the creation of the Gameover Zeus, or GOZ botnet. Authorities claim Bogachev and his group infected thousands of business computers with software that captured passwords, account numbers, and other information.
An international operation disrupted the crime ring. The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand, Ukraine and the United Kingdom. Intel, Microsoft, security software companies F-secure, Symantec, and Trend Micro, and Carnegie Mellon University also supported the operation.
Authorities used technical and legal tactics to interrupt the so-called botnet’s operations, shutting down the servers the criminals used to control infected machines and causing those machines to “phone home” to servers controlled by law enforcement. As part of the cleanup effort, federal agents have redirected infected computers to Homeland Security servers to identify victims and provide information about how to remove the malware. Victims can head over to the DHS’s Computer Emergency Readiness Team (US-CERT) website for assistance.
In a separate action, U.S. and foreign law enforcement officials also seized control of the malware known as Cryptolocker, which locks victims out of their computer files until they pay a ransom.
“This operation disrupted a global botnet that had stolen millions from businesses and consumers as well as a complex ransomware scheme that secretly encrypted hard drives and then demanded payments for giving users access to their own files and data,” said Deputy Attorney General James M. Cole. “We succeeded in disabling Gameover Zeus and Cryptolocker only because we blended innovative legal and technical tactics with traditional law enforcement tools and developed strong working relationships with private industry experts and law enforcement counterparts in more than 10 countries around the world”.
The Gameover Zeus botnet operates silently on victim computers by directing those computers to reach out to receive commands from other computers in the botnet and to funnel stolen banking credentials back to the criminals who control the botnet. For this reason, in addition to the criminal charges announced today, the United States obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers established pursuant to court order. The order authorizes the FBI to obtain the Internet Protocol addresses of the victim computers reaching out to the substitute servers and to provide that information to US-CERT to distribute to other countries’ CERTS and private industry to assist victims in removing the Gameover Zeus malware from their computers. At no point during the operation did the FBI or law enforcement access the content of any of the victims’ computers or electronic communications.