June 14, 2021

GameOver Zeus botnet disrupted by FBI, Microsoft and multi-national agencies

GameOver_Zeus_Scope(LiveHacking.Com) – A multi-national team of security experts and law enforcement agencies including the U.S. Department of Justice, the FBI, Europol, and the UK’s National Cyber Crime Unit have successfully disrupted  the GameOver Zeus botnet. The malware, which is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing trojan, is thought to be responsible for the theft of millions of dollars from businesses and consumers all around the world.

Also known as P2P Zeus or GO Zeus, the malware uses a decentralized network system of compromised PCs and web servers to execute command-and-control. Its peer-to-peer nature meant that command instructions could come from any of the infected computers, and made the take down of the botnet more difficult.

The FBI took down portions of the command-and-control infrastructure by seizing domain names used by the malware. Microsoft helped the FBI by providing an analysis of the P2P network and by developing a cleaning solution. According to Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.”

GameOver Zeus is primarily used by cybercriminals to harvest banking information including login credentials. Once a PC is infected it can be used by the cybercriminals to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The malware has also been linked to the CryptoLocker ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files.

Andy Archibald, a Deputy Director at the UK’s National Crime Agency (NCA), said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.” Mr Archibald continues: “Those committing cybercrime impacting the UK are often highly-skilled and operating from abroad. The NCA and its partners are alive to the threat, and pursuing new and collaborative ways to tackle and disrupt the perpetrators.”

At the same time as the botnet was being disrupted  a federal grand jury in Pittsburgh unsealed a 14-count indictment against the GameOver Zeus ringleader. Evgeniy Mikhailovich Bogachev, of Anapa, Russian Federation, is charged with with conspiracy, computer hacking, wire fraud,  bank fraud and money laundering. In a separate civil injunction, Bogachev was identified as the ringleader of the gang responsible for the development and operation of the Cryptolocker scheme.

Microsoft disrupts half billion dollar Citadel botnet

typing on keyboard-300px(LiveHacking.Com) – Microsoft’s Digital Crimes Unit, together with the the FBI and several different financial services companies, has disrupted more than 1,400 Citadel botnets that were responsible for over half a billion dollars in losses to individuals and businesses worldwide.

The massive cybercrime operation was responsible for stealing people’s online banking information and personal identities. Citadel used a remotely installed keylogging program to steal data from about five million machines. Money was then stolen as the criminals used the usernames and passwords to illegally enter online bank accounts. No particular bank was targeted and cash from taken from well known institutions including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.

Microsoft outlined how Citadel used PCs bundled with pirated versions of Windows to pre-infect PC. “We also found that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats,” said Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

To avoid detection Citadel blocked victims’ access to many legitimate anti-virus/anti-malware sites which meant that they could not easily remove the threat from their PC. As part of the disruptive action Microsoft has restored access to these previously blocked sites.

Microsoft Moves Against Zeus Botnets With New Action Codenamed Operation b71

(LiveHacking.Com) – Microsoft is no stranger to fighting botnets. Over the last eighteen months it has led a varirty of operations (b49b107 and b79) to dismantle botnet networks which are used to conduct various criminal activities including spamming, click fraud, and malware distribution. This week, together with partners in the financial services industry, Microsoft led Operation b71 a new action to disrupt Zeus (Win32/Zbot) botnets.

Zeus botnots are complex and Microsoft have not been able to shutdown every botnot in existence (and nor was that its goal), however  Microsoft expect that Operation b71 will significantly impact the cybercriminals’ operations and infrastructure. Operation b71, which targeted the command and control infrastructure of various botnets using ZbotSpyeye and Ice IX variants of the Zeus family of malware, was carried out by Microsoft together with the Information Sharing and Analysis Center (FS-ISAC), the Electronic Payments Association (NACHA), Kyrus Tech and F-Secure.

After a months of investigation and a successful pleading before the U.S. District Court for the Eastern District of New York there was a coordinated seizure of command and control servers in Scranton, Penn. and Lombard, Ill. (which are some of the worst known Zeus botnets). This has disrupted the net and yielded valuable evidence and intelligence.

The Zeus malware uses keylogging to record a victim’s keystrokes to monitor online activity and gain access to usernames and passwords in order to steal a victim’s identity, take money from their bank accounts and make online purchases.

“Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit. Overall, Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone,” wrote Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit.

The operation culminated in the physical seizure of command and control servers. Representatives from Microsoft, FS-ISAC and NACHA were escorted by U.S. Marshals during the operation. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” added Boscovich.

Source Code for ZeuS Trojan Horse Freely Available on the Internet

The source code for the ZeuS trojan horse (sometimes known as Zbot), that steals banking information by keystroke logging and form grabbing, has been leaked on to the Internet. Peter Kruse of CSIS, a security company from Copenhagen, has confirmed that the archive file, which is available from several underground forums, compiles and is indeed the genuine thing.

According to The H, the source code is for version which is thought to be the latest version. Previously copies of ZeuS sold for several thousand dollars among cyber criminals and organized crime gangs.

The archive file contains a builder that generates the malware executable and Web server files (PHP, images, SQL templates) for use as the command and control server.

How or why this source code has appeared on the net is unclear, however it was reported last year the ZeuS’ creator had retired and turned over the source code to ZeuS to his long time rival.

ZeuS has already caused a lot of damage and its release on the Internet could mean it now poses a greater threat that ever before.

Koobface server taken down

A UK internet service provider (ISP) has taken the Koobface social networking botnet Command-and-Control server off-line after security specialists from the SecDev Group informed the UK investigative authorities about the server.While this will temporarily obstruct the botnet, it doesn’t mean that the individuals behind Koobface have been neutralised. It’s probably only a matter of time until the infected computers are redirected to a new server.

Read the full story here.


SpyEye Tracker

Abuse.ch. has lunched a new project, SpyEye.  With reference to the project website,  SpyEye Tracker is similar to the ZeuS Tracker but SpyEye Tracker tracks and monitors malicious SpyEye Command & Control Servers and not ZeuS Command & Control Servers.

SpyEye Tracker provides blocklists in different formats (eg. for Squid Web-Proxy or iptables) to avoid that infected clients can access the Command & Control servers.

SpyEye Tracker could be helpful for the ISPs, CERTs and Law Enforcement to track malicious SpyEye Command & Control servers to combat with the cyber criminals.


Once-prolific Pushdo botnet crippled

Security researchers have disrupted the botnet known as Pushdo, a coup that over the past 48 hours has almost completely choked the torrent of junkmail from the once-prolific spam network.

Researchers from the security inteligence firm LastLine said that they identified a total of 30 servers used as Pushdo command and control channels and managed to get the plug pulled on 20 of them.

Read the full article here.


Command and Control Network of Zeus 2 Botnet

Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers.


Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data – including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks – from compromised Windows systems.


Trusteer researchers identified the botnet’s drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police.

Read the full article here.

Source: [TheRegister]

AVG Whitepaper: Mumba Botnet

AVG recently released a whitepaper about Mumba botnet and its implications.

This research revealed that more than 55,000 unknowing Internet user’s machines were compromised with data stealing malware inserted on their machines by the Mumba botnet.

With reference to AVG research report, more than 60 Gig of data was identified on the server including credentials of social networking web sites, banking accounts, credit card numbers and email communications.

Breakdown of the compromised PCs shows, 33 percent of infected users resided within U.S., while other notable affected countries including Germany, Spain, The United Kingdom, Mexico and Canada.

Download AVG Whitepaper Here

Source: [AVG]