Monday, June 02, 2014

Is the Game Over for GameOver Zeus?

Several weeks ago law enforcement friends in Pittsburgh started asking people not to publish anything too public about GameOver Zeus. When we asked why, we got a teasing "You'll see!" Now our ISP friends that were participating in the effort are grinning ear to ear as we may actually have a chance to disrupt Zeus in a meaningful way. Being a legal geek, I was excited to have the documents published on the main Justice website today at

The Complaint against Evgeniy Mikhailovich Bogachev aka Slavik, aka Pollingsoon was unsealed in court where the Pittsburgh FBI led the investigation into CryptoLocker and GameOver Zeus. In addition to Bogachev, charges are filed against several aliases of as-yet-unidentified hackers, "Temp Special", "Ded", Chingiz (aka Chingiz 911), and Mr.KyKyPyKy. The Complaint charges that "Together, GOZ and Cryptolocker have infected hundreds of thousands of computers around the world and have generated losses that exceed $100 million."

Some of the specific cases mentioned in the complaint include:

  • A composite materials company in the Western District of Pennsylvania which lost more than $198,000 from its bank account using credentials stolen by the Defendants through the use of GOZ; (The Pittsburgh Indictment shares more details, telling us this was Haysite Reinforced Plastics, whose PNC Bank account was fraudulently accessed and used to send their money to a Mule account in the name of Lynch Enterprises, LLC, at SunTrust Bank in Atlanta, Georgia, after they clicked on a NACHA email informing them their ACH payment had failed, in October 2011. They also transfered $175,756.91 to an account belonging to R&R Jewelers, and ATTEMPTED six additional transfers, all on October 20, 2011. The money in the SunTrust account was quickly moved on ($99,822 of it, anyway) to an HSBC account in London.)
  • An Indian tribe in Washington - $277,000
  • A corporation managing assisted living facilities in Pennsylvania - $190,800
  • A regional bank in Northern Florida - $7 Million
CryptoLocker is described separately as having "first emerged in mid-to-late 2013" and infected "more than 230,000 computers, including more than $120,000 in the United States.

Just between October 15, 2013 and December 18, 2013, we know that $27 million in ransom payments were made, just by tracking the ransom payments made using Bitcoin!

The charges in the criminal complaint are:

Count I: Wire fraud: 18 USC Section 1343 "Having devised a scheme or artifice to defraud and for obtaining money by means of false or fraudulent pretenses and transmitting and causing to be transmitted by means of wire communications in interstate and foreign commerce, writings, signs, and signals for the purpose of executing such scheme or artifice.

Count II: Bank Fraud: 18 USC Section 1344 "knowingly executing a scheme or artifice to defraud financial institutions insured by the FDIC and to obtain moneys under the custody and control of these institutions by means of false and fraudulent pretenses and representations.

Count III: Unauthorized interception of electronic communications: 18 USC Section 2511 "intentionally intercepting electronic communications, and intentionally using and endeavoring to use the contents of the electronic communications knowing that the information is obtained through the unauthorized interception of electronic communications."

all of which, according to 18 USC Section 1345(a) and (b) allows Injunctive Relief to prevent a continuing and substantial injury to the owners and legitimate users of the infected computers.

An FBI Pittsburgh cyber agent was the affiant in the 28 page Application for Temporary Restraining Order recounts that while the largest known single wire transfer was a $6.9 million wire, fraudulent wires in the amount of $1 million dollars were "very common." A single bank experienced 11 fraudulent wires, with six being for more than $950,000 and the largest being 2 million dollars!

The GOZ affidavit mentions a few email addresses, Bogachev uses as one email address,, while Chingiz 911 uses Seeing the nickname "Ded" as one of the members of the gang, I can't help but recall "Ded Pixto" the nickname for Stanislav Avdeiko the Koobface malware author.

So how will this "takedown" actually work? First, some hard work by a couple genius malware reverse engineers at Dell Secure Works and CrowdStrike helped the Pittsburgh FBI agent to understand the current Command & Control infrastructure so it could be rendered harmless. The problem though, is that both GOZ and Cryptolocker have a built-in backup plan in the form of a Domain Generation Algorithm. The job of a DGA is to allow the botmaster to IN THE FUTURE reconnect to his bots using infrastructure that neither the bots nor the botmaster have even created yet. A formula is used to calculate a domain name based on a timestamp. So, if NONE of the hard-coded IP addresses are able to be reached, the bot will look up the current date and begin "guessing" domains that the criminal may have registered for use to update the bot with new hard-coded addresses. As a few examples, on July 1, 2014, CryptoLocker will try to connect to 1,000 domains, including:
The Temporary Restraining Order (TRO) seeks an Order that:

1) directs four U.S. based internet domain Registries to block access to around 900 PAGES of domain names seemingly the "future" list of DGA-generated domain names for CryptoLocker and GOZ. The GameOver Zeus domains are listed in Appendix A while the CryptoLocker domains are listed in Appendix B. Because ICANN only has jurisdiction over the Generic TLDs, this approach doesn't work for the ".ru" domains. CryptoLocker also uses "" domains, so one would hope that the British government has asked for a similar favor from their counterpart registries. The four Registries in the US were, VeriSign, Inc., representing .com and .net, Neustar, Inc., representing .biz, Affilias USA, Inc., representing .info, and Public Interest Registry, representing .org.

Appendix A actually contains 25,937 domains for Game Over Zeus, arranged in ten columns, with three columns of domains listed on pages 1-69, 70-138, 139-207, and then a single column on pages 208 to 276. Its actually seven columns of 2594 domains and three columns of 2593 domains or 25,937 domains for Game Over Zeus.

Appendix B has six columns on pp. 1-176, pp.177-352, and then six columns of various length from 353 to the end of the 704 page document, for a total of 130,421 domains for CryptoLocker.

Affilias, Neustar, Verisign, and Public Interest Registry are ordered to redirect all of those 156,000 or so domains to use the nameservers and, preventing the criminals from using those domains to re-establish control of their botnet.

2) directs the twenty largest ISPs in America to not allow access from their networks to the .RU domains that the DGA can make, as the .RU domains are not under ICANN control. The ISPs named here are:

Cablevision, AT&T, Cox, Comcast, Mediacom, AOL, Frontier, Sprint, Time Warner Cable, Verizon, Charter, CenturyLink, Suddenlink, Wide Open West, Windstream, Level 3, Armstrong Group of Companies, Bright House, Earthlink, and NTT America.

Those ISPs are forbidden to allow traffic to the .ru domains listed in Appendix C.

3) To redirect all traffic intended for one of those domains to .gov controlled servers


4) to seek a Pen Register/Trap and Trace Order that would gather information about the nodes directed to those replacement boxes, and to share that information back to the ISPs and victims to help protect themselves. This "Dialing, Routing, Addressing, and Signaling" data (called DRAS in telephone-legalese) is to be turned over to the government so that attempts can be made to clean up these victims computers.

In cooperation with these efforts, McAfee is providing their "Stinger" program to be used by any victims to clean and remove GameOver Zeus or CryptoLocker infections.

All of that is now in play ... it is too early to tell if the game is really over, but best of luck and congratulations to the fine agents and CCIPS lawyers who made this possible!

1 comment:

  1. This comment has been removed by a blog administrator.


Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.