FBI Details Takedown of Gameover Zeus Botnet
FBI agent explains how law enforcement worked with security vendors to bring down a major botnet operation.
The Gameover Zeus botnet was one of the most pernicious digital criminal operations of all time - until the U.S Federal Bureau of Investigation (FBI) stepped in to shut it down in 2014. The FBI didn't work alone to end the scourge that was Gameover Zeus; it had help from law enforcement partners and security researchers around the world.
At a session during last week's Black Hat USA security conference, FBI Special Agent Elliott Peterson detailed his organization's efforts to bring the botmaster behind Gameover Zeus to justice.
Gameover Zeus used a specific configuration of the Blackhole exploit kit as its primary infection method, he explained.
"The Blackhole version they were running pointed back to an iFrame checker, and we were able to get access through some of our partnerships with industry to the backend pages," Elliott said.
The Gameover Zeus botnet owners looked at their operation as a complete criminal organization, owned all the assets and put them all under one roof, Elliott noted. "They were very centralized, which made it good for them from a logistics standpoint and very good for us in law enforcement."
One of the principal servers used by Gameover Zeus was referred to by the botnet owners as the "Business Club." Through the Business Club, the FBI was able to connect the dots across attacks and victims. There was a full ledger system in place that kept accurate track of all the fraud committed by the Gameover Zeus botnet, Elliott said.
As to how the FBI actually identified the individuals responsible, Elliott said the criminals weren't part-time criminals; cybercrime was their full-time job. That's how the FBI was able to identify Evgeniy Bogachev as the kingpin behind the Gameover Zeus botnet.
"One of the things we try to do as law enforcement is work ourselves in, so we can attack the seams between their personal life and their criminal life," Elliott said. "Fortunately Bogachev was a user of VPNs, and he liked to use the same VPNs to log into his personal accounts as he would to administrate the backend of the botnet servers."
The FBI did a botnet takeover in June of 2014 to protect victims and stop future fraud.
"The idea being we didn't want to see people continue to be victimized," Elliott said. "And we didn't want to give the threat actors the possibility of destroying user computers or push cryptolocker on them, encrypting their computers."
Bogachev is still at large, and the FBI has issued a $3 million reward for information that leads to his arrest. During the Q&A period that followed, Elliott was asked about Russian cooperation in capturing Bogachev.
"We talk to them (Russian law enforcement), we continue to talk to them and we'd love to see some co-operation. That's as much as I can say," Elliott said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.