May 17, 2020

GameOver Zeus botnet disrupted by FBI, Microsoft and multi-national agencies

GameOver_Zeus_Scope(LiveHacking.Com) – A multi-national team of security experts and law enforcement agencies including the U.S. Department of Justice, the FBI, Europol, and the UK’s National Cyber Crime Unit have successfully disrupted  the GameOver Zeus botnet. The malware, which is a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing trojan, is thought to be responsible for the theft of millions of dollars from businesses and consumers all around the world.

Also known as P2P Zeus or GO Zeus, the malware uses a decentralized network system of compromised PCs and web servers to execute command-and-control. Its peer-to-peer nature meant that command instructions could come from any of the infected computers, and made the take down of the botnet more difficult.

The FBI took down portions of the command-and-control infrastructure by seizing domain names used by the malware. Microsoft helped the FBI by providing an analysis of the P2P network and by developing a cleaning solution. According to Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, “Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.”

GameOver Zeus is primarily used by cybercriminals to harvest banking information including login credentials. Once a PC is infected it can be used by the cybercriminals to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The malware has also been linked to the CryptoLocker ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files.

Andy Archibald, a Deputy Director at the UK’s National Crime Agency (NCA), said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.” Mr Archibald continues: “Those committing cybercrime impacting the UK are often highly-skilled and operating from abroad. The NCA and its partners are alive to the threat, and pursuing new and collaborative ways to tackle and disrupt the perpetrators.”

At the same time as the botnet was being disrupted  a federal grand jury in Pittsburgh unsealed a 14-count indictment against the GameOver Zeus ringleader. Evgeniy Mikhailovich Bogachev, of Anapa, Russian Federation, is charged with with conspiracy, computer hacking, wire fraud,  bank fraud and money laundering. In a separate civil injunction, Bogachev was identified as the ringleader of the gang responsible for the development and operation of the Cryptolocker scheme.

Microsoft disrupts half billion dollar Citadel botnet

typing on keyboard-300px(LiveHacking.Com) – Microsoft’s Digital Crimes Unit, together with the the FBI and several different financial services companies, has disrupted more than 1,400 Citadel botnets that were responsible for over half a billion dollars in losses to individuals and businesses worldwide.

The massive cybercrime operation was responsible for stealing people’s online banking information and personal identities. Citadel used a remotely installed keylogging program to steal data from about five million machines. Money was then stolen as the criminals used the usernames and passwords to illegally enter online bank accounts. No particular bank was targeted and cash from taken from well known institutions including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.

Microsoft outlined how Citadel used PCs bundled with pirated versions of Windows to pre-infect PC. “We also found that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats,” said Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

To avoid detection Citadel blocked victims’ access to many legitimate anti-virus/anti-malware sites which meant that they could not easily remove the threat from their PC. As part of the disruptive action Microsoft has restored access to these previously blocked sites.

Microsoft reaches settlement with domain operator linked to the Nitol botnet

(LiveHacking.Com) – Microsoft has reached a legal settlement with the hosting company which operated, a domain linked to the Nitol botnet. The deal, which was reached with Peng Yong and his company Changzhou Bei Te Kang Mu Software Technology, is the result of an investigation Microsoft conducted into counterfeit Windows PCs made in China.

Microsoft  discovered that consumers in China were buying cheap counterfeit Windows based PCs which came with malware pre-installed. The malware, known as Nitol, was used to run distributed denial of service (DDoS) attacks as well as create backdoors onto the PCs. The domain was part of the infrastructure supporting the botnot. Subsequently Microsoft started legal action to take control of the 70,000 malicious subdomains hosted on

The investigation revealed that the malware was not being pre-installed on computers in the factory but rather the cybercriminals had disreputable distributors or resellers load the malware-infected counterfeit software onto the computers before the final delivery to the customer.

Now, Peng Yong has agreed to work with Microsoft and and the Chinese Computer Emergency Response Team (CN-CERT) authorities to stop any further misuse of servers in his company. Any future black-listed domains will be moved into a sinkhole that has been established by CN-CERT. Also Yong is required to fix the systems of anyone affected by the botnet. Microsoft has already started to contact the Nitol victims with the help of the Shadow Server Foundation.

Since taking control of, just over two weeks ago, Microsoft has been able to block more than 609 million connections from over 7,650,000 unique IP addresses.

“Fighting botnets will always be a complex and difficult endeavor as cybercriminals find new and creative ways to infect peoples’ computers with malware, whether for financial gain or other nefarious purposes. However, those working to combat cybercrime continue to make progress, and Microsoft remains committed to protecting its customers and services and to making it difficult for cybercriminals to take advantage of innocent people for their dirty work,” wrote assistant general counsel for Microsoft Digital Crimes Unit Richard Domingues Boscovich.

In brief: Microsoft disrupts Nitol botnet

(LiveHacking.Com) – Microsoft has revealed that the U.S. District Court for the Eastern District of Virginia granted Microsoft’s Digital Crimes Unit permission to disrupt more than 500 different strains of malware. ‘Operation b70’ significantly limited the spread of the emerging Nitol botnet. It was Microsoft’s second botnet disruption in the last six months.

According to Brian Krebs, the core target of this takedown was, a Chinese “dynamic DNS” (DDNS) provider. DDNS providers offer typically free services that allow millions of legitimate users to have Web sites hosted on servers that frequently change their Internet addresses. This type of service is useful for people who want to host a Web site on a home-based Internet address that may change from time to time, because dynamic DNS services can be used to easily map the domain name to the user’s new Internet address whenever it happens to change.

“Microsoft is fully committed to protecting consumers by combating the distribution of counterfeit software and working closely with governments, law enforcement and other industry members in these efforts. Our disruption of the Nitol botnet further demonstrates our resolve to take all necessary steps to protect our customers and discourage criminals from defrauding them into using malware infected counterfeit software,” said Microsoft in a statement.

Microsoft Moves Against Zeus Botnets With New Action Codenamed Operation b71

(LiveHacking.Com) – Microsoft is no stranger to fighting botnets. Over the last eighteen months it has led a varirty of operations (b49b107 and b79) to dismantle botnet networks which are used to conduct various criminal activities including spamming, click fraud, and malware distribution. This week, together with partners in the financial services industry, Microsoft led Operation b71 a new action to disrupt Zeus (Win32/Zbot) botnets.

Zeus botnots are complex and Microsoft have not been able to shutdown every botnot in existence (and nor was that its goal), however  Microsoft expect that Operation b71 will significantly impact the cybercriminals’ operations and infrastructure. Operation b71, which targeted the command and control infrastructure of various botnets using ZbotSpyeye and Ice IX variants of the Zeus family of malware, was carried out by Microsoft together with the Information Sharing and Analysis Center (FS-ISAC), the Electronic Payments Association (NACHA), Kyrus Tech and F-Secure.

After a months of investigation and a successful pleading before the U.S. District Court for the Eastern District of New York there was a coordinated seizure of command and control servers in Scranton, Penn. and Lombard, Ill. (which are some of the worst known Zeus botnets). This has disrupted the net and yielded valuable evidence and intelligence.

The Zeus malware uses keylogging to record a victim’s keystrokes to monitor online activity and gain access to usernames and passwords in order to steal a victim’s identity, take money from their bank accounts and make online purchases.

“Zeus is especially dangerous because it is sold in the criminal underground as a crimeware kit, which allows criminals to set up new command and control servers and create their own individual Zeus botnets. These crimeware kits sell for anywhere between $700 to $15,000, depending on the version and features of the kit. Overall, Microsoft has detected more than 13 million suspected infections of this malware worldwide, with more than 3 million in the United States alone,” wrote Richard Domingues Boscovich, Senior Attorney, Microsoft Digital Crimes Unit.

The operation culminated in the physical seizure of command and control servers. Representatives from Microsoft, FS-ISAC and NACHA were escorted by U.S. Marshals during the operation. Microsoft also currently monitors 800 domains secured in the operation, which helps us to identify thousands of Zeus-infected computers.

“We don’t expect this action to have wiped out every Zeus botnet operating in the world. However, together, we have proactively disrupted some of the most harmful botnets, and we expect this effort will significantly impact the cybercriminal underground for quite some time,” added Boscovich.

Once-prolific Pushdo botnet crippled

Security researchers have disrupted the botnet known as Pushdo, a coup that over the past 48 hours has almost completely choked the torrent of junkmail from the once-prolific spam network.

Researchers from the security inteligence firm LastLine said that they identified a total of 30 servers used as Pushdo command and control channels and managed to get the plug pulled on 20 of them.

Read the full article here.


phpMyAdmin Vulnerability and Brute Force SSH Attacks

phpMyAdmin Vulnerability and Brute Force SSH Attacks

There are one or multiple large botnets that are actively exploiting a vulnerability in phpMyAdmin. This exploit in older versions (below 3.2.4) of the package allows remote code execution on the server.

According to malwarecity, these botnets have been using this exploit to upload a bot named “dd_ssh” which can be executed at root level. This bot then conducts brute force SSH attacks on random IP addresses specified by the bot herder.

Many people who have been attacked have logs showing a flood of http requests from IPs in Asia and Eastern Europe that query the version of phpMyAdmin. Upon execution the attacker drops the malicious files in /tmp/vm.c and /tmp/dd_ssh, and then start the dd_ssh service.

Read more here at

Source: [Malwarecity]

Command and Control Network of Zeus 2 Botnet

Security researchers have uncovered the command and control network of a Zeus 2 botnet sub-system targeted at UK surfers that controlled an estimated 100,000 computers.


Cybercrooks based in eastern Europe used a variant of the Zeus 2 cybercrime toolkit to harvest personal data – including bank log-ins, credit and debit card numbers, bank statements, browser cookies, client side certificates, and log-in information for email accounts and social networks – from compromised Windows systems.


Trusteer researchers identified the botnet’s drop servers and command and control centre before using reverse engineering to gain access its back-end database and user interface. A log of IP addresses used to access the system, presumably by the cybercrooks that controlled it, was passed by Trusteer onto the Metropolitan Police.

Read the full article here.

Source: [TheRegister]