The U.S. Department of Justice on Monday made public a multi-national effort to disrupt the GameOver Zeus botnet, a global network of infected victim computers cybercriminals were using to steal millions of dollars from businesses and consumers. Microsoft was in the thick of the fix.
GameOver Zeus, a variant of the Zeus (or Zbot) family of malware, is a highly prevalent password-stealing trojan, according to research by the Microsoft Security Intelligence Report. What’s more, the Dell SecureWorks Counter Threat Unit reports that it was the most active banking trojan of 2013.
In a separate action, U.S. and foreign law enforcement officials worked together to seize computer servers central to the malware known as Cryptolocker, a form of ransomware that encrypts the files on victims’ computers until they pay ransom.
“GameOver Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt,” said FBI Executive Assistant Director Robert Anderson. “The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement, and within the U.S. government.”
Microsoft Helps Takedown
The impact GameOver Zeus is not limited to the financial industry, however. Nearly all major businesses and public sector organizations are impacted. Security researchers estimate that between 500,000 and 1 million computers worldwide are infected. All told, the FBI estimates that GameOver Zeus is responsible for more than $100 million in losses.
“Microsoft’s role in this technical action was to conduct analysis on the P2P network and develop a cleaning solution,” Microsoft said in a blog post. “Also, through an additional feed from Shadow Server, we are able to augment our visibility into the number of impacted IP addresses that feed into Microsoft’s Cyber-Threat Intelligence Program (C-TIP), and work closely with global Community Emergency Response Teams (CERTs) and Internet service providers (ISPs) to help owners of compromised computers regain control of their systems.”
Based upon those actions, Microsoft expects to disrupt the cybercriminals’ business model, which would force them to rebuild their criminal infrastructure. This is the second botnet operation Microsoft has launched since it unveiled its C-TIP program last November. The company also participated in the ZeroAccess botnet case.
Regaining a Foothold
We caught up with Dwayne Melancon, chief technology officer at IT security software firm TripWire, to get his take on the takedown. He told us it’s an opportunity to make progress against a huge Internet threat.
“Taking out the command-and-control servers of a botnet is a monumental task, but this effort will make a significant difference and at least allow us to regain a foothold,” Melancon said. “Of course, the success of this effort still requires people to patch their operating systems and applications very quickly.”
That, he said, is because botnets are extremely resilient. He expects to see another command-and-control infrastructure spring up in short order.
“If users and enterprises don't reduce their attack surface by closing the security holes, the situation won't get better,” Melancon said. “They'll just be compromised by the next iteration of the botnet.”