FBI disrupts GameOver ZeuS and CryptoLocker Botnet

The U.S. Department of Justice (DOJ) and Federal Bureau of Investigation (FBI) today announced the disruption of the infamous GameOver ZeuS botnet and the CryptoLocker Ransomware.

GameOver ZeuS (GOZ), also known as P2P ZeuS or ZeuSv3, is a sophisticated ebanking Trojan mainly used to commit ebanking fraud and steal credentials from the victims computer. GOZ is a further development of ZeuS / Zbot and has already been around for four years now. GOZ is one of the few botnets that are using P2P techniques for their command & control (C&C) infrastructure. However, this wasn’t always the case. The botnet operators behind GOZ made several updates to the source code over the years of operating the botnet to improve its resilience against takedown attempts.

Below is a chart that illustrates the development of GOZ over time.

Development of GOZ over time

Development of GOZ over time (click to enlarge)

As shown on the timeline above, it all started in September 2010 when a new malware appeared – it was obviously based on the source code of ZeuS, but was using a domain generation algorithm (DGA) to calculate the current botnet C&C domain. AV vendors named this new threat Murofet and LICAT. The Murofet / LICAT botnet was around for nearly a year. Months after Murofet appeared, ZeuS Tracker started to blacklist DGA domains used by Murofet as soon as they had been registered. With this, ZeuS Tracker could provide near-real-time protection to Internet users. In cooperation with the responsible domain name registrar, new Murofet domains could get suspended within hours after they appeared on ZeuS Tracker. In the beginning of September 2011, abuse.ch (again, in cooperation with the responsible domain name registrar) started to sinkhole Murofet domains instead of suspending them. This enabled abuse.ch to collect information about the size and geolocation of the Murofet botnet:

ZeuS v3 Botnet SIze

Murofet / LICAT botnet size as of September 2011 (click to enlarge)

The highest count of infected IPs the sinkhole could record was more than 100k infected IPs within a time period of 24 hours, and most of the infected IPs were located in India (IN), Italy (IT) and the USA.

ZeuS v3 Botnet Geo Location

Geo IP location of Murofet / LICAT infected computers as of September 2011 (click to enlarge)

In mid September 2011, no new Murofet / LICAT domain names was being registered any more. Nearly at the same time, security researchers all over the world saw a specific kind of new malware that showed the same behavior on a compromised computer as ZeuS did. However, instead of just using the HTTP to communicate with the botnet C&C server, weird UDP and TCP connections would be observed on infected computers. Analysis of the new Trojan revealed that it was based on the ZeuS source code as well, but using P2P communication to communicate with other infected drones and receive commands from the botnet operator. However, stolen data was still being dropped to a webserver using HTTP POST. The HTTP POST requests all used the same URL patterns: /gameover.php, /gameover2.php, /gameover3.php. GameOver ZeuS was born.

ZeuS V3 P2P Network

P2P ZeuS C&C communication as of September 2011 (click to enlarge)

Using P2P techniques has a big benefit for botnet operators; it makes their botnet more resilient against takedown attempts. Since the disappearance of Murofet / LICAT and the appearance of P2P ZeuS was nearly at the same time, it is obvious that GameOver ZeuS is a successor of Murofet / LICAT. However, it is unclear whether this development was a reaction of the criminals to the takedown / sinkholing attempts carried out by abuse.ch since July 2011. Later in 2011, GameOver ZeuS abandoned the component that was responsible for the HTTP gameover.php traffic. With this, ZeuS Tracker was no longer able to list the associated GameOver ZeuS activity on ZeuS Tracker because the main operations had been fully migrated into the P2P infrastructure. However, GameOver ZeuS was still using a HTTP component along with a DGA as fallback mechanism, in case the P2P botnet was disrupted. Because of this, sinkholing of at least parts of the botnet was still possible. Below is a chart that illustrates the number of unique IP addresses infected with GameOver ZeuS, reported to the non-profit organisation Shadowserver. Source of the data are not only the sinkholes operated by abuse.ch, but also sinkholes operated by other security researchers around the globe.


# of unique IPs infected with GOZ in May 2014 (click to enlarge)

In the early days, GameOver ZeuS was mainly targeting financial institutions in the US. During their years of operating the botnet they soon enlarged their target list to include financial institutions in the Europe and Asia as well. For example, in 2013 Swiss Internet users were hit by a spam run that was distributing GameOver ZeuS in Switzerland.

The GameoOver ZeuS botnet was developed further several times, mainly aimed to harden the P2P component of GameOver ZeuS. The main reason for this were several takedown attempts carried out by security researchers in the past years. There are some excellent papers around that are describing GameOver ZeuS, and especially their P2P component:

GameOver ZeuS is not the only botnet to take advantage of P2P techniques. ZeroAccess, a clickfraud botnet that was recently taken down by Microsoft and EUROPOL, was using P2P techniques as well. While using P2P techniques is a good choice by the botnet operators to hide their infrastructure and make their botnet more resilient against takedown attempts, the GOZ takedown carried out by the FBI is already the second takedown within this year that is hitting a P2P botnet. This is a good example and an even better statement from Law Enforcement Agencies and security researchers around the globe, which shows that criminals can’t hide themselves, no matter what kind of technology they are using.

Over all I think it is fair to say that GameOver ZeuS was one of the biggest threats for financial institutions and their customers. Some security researchers even views GameOver ZeuS as the “largest bank-theft botnet” ever. Finally, I want to express my congratulation to the FBI and all people involved for their investigations and say thanks for their efforts to make the Internet a safer place.

*** Further reading about GameOver ZeuS ***

Introducing: Feodo Tracker

In the past week I’ve received multiple reports about wide-spread spam campaigns hitting German speaking countries. The spam emails are multi-themed and pretend to come from either Volksbank, Deutsche Telekom, Vodafon D2 or NTT. There are already various blog posts about the latest spam campaign for example on G Data SecurityBlog (German) or Cisco Blog (English). Deutsche Telekom has also already published a blog post on their website warning its customers about fake invoices (German) pretending to come from Deutsche Telekom. While the fake invoices that are being sent out by the cybercriminals vary, they usually point to a malicious website that always serves the same malware to its visitors: Feodo.

Feodo (also known as Cridex and Bugat) is yet another ebanking Trojan used to commit ebanking fraud and steal sensitive information from the victims computer, such as credit card details or user credentials. The trojan itself isn’t really new, in fact its already been around for over two years now – it was first spotted in January 2012. Feodo is not only hitting Germany, its also hitting financial institutions in several other countries.

Feodo Modus Operandi
Currently, there are two versions of Feodo known: Let’s call them version A and version B. The spam- and malware-campaign we have seen recently hitting Germany can be attributed to version B. One of the biggest differences between those two versions is the way an infected computer (bot) communicates with its C&C servers. While version A is communicating over HTTP to hijacked servers running a nginx daemon on port 8080 TCP (which are in fact just acting as proxy node forwarding all botnet traffic to a tier 2 proxy server), version B communicates with its botnet C&C infrastructure using HTTP on port 80 TCP. For version B, the botnet C&C infrastructure (domain names + hosting) is set up by cybercriminals for the exclusive purpose of hosting a Feodo botnet C&C server.

Mitigating the Feodo threat

As mentioned earlier, Feodo isn’t a new threat but it seems to be emerging these days. Hence, I’ve decided to put Feodo in the spotlight by launching yet another tracker. Introducing: Feodo Tracker. Similar to the existing trackers for ZeuS, SpyEye and Palevo, Feodo Tracker provides an overview over existing Feodo botnet C&C servers and serves a blocklist in different formats, allowing system- and network administrators to spot and stop Feodo C&C traffic in their network as well as identifying infected computers in the local network (LAN). Currently, Feodo Tracker offers plain text blocklists for both Feodo C&C IP addresses and Feodo C&C domains but also IDS/IPs rules for Snort and Suricata.

Feodo Malware Distribution
Looking at the modus operandi of this Feodo gang (which is running version B) and how they operate to recruit new bots shows that they are using both compromised websites as well as domain names registered for the exclusive purpose of infecting new computers (spam landing pages). Sample URLs/Domains are:

hXXp://clownjohh.ru/vodafone_online/ (malicious domain)
hXXp://clownjohh.ru/telekom_deutschland/ (malicious domain)
hXXp://sencert.ru/volksbank_eg/ (malicious domain)
hXXp://mmc-tt.ru/telekom/ (malicious domain)
hXXp://frtyui.ru/telekom_deutschland/ (malicious domain)
hXXp://1pfkc1.happykid.ch/vodafon/ (compromised/hijacked)
hXXp://xs9imj.tenebro.us/telekom/ (compromised/hijacked)

Those URLs are embedded / advertised in the spam mails which are being sent out by the criminals using stolen SMTP credentials. By taking advantage of stolen SMTP credentials the criminals bypass usual DNSBL-driven spam filters. Most of the advertised .ru URLs (which are, as said, usually registered by the cybercriminals themselves for the exclusive purpose of hosting a Feodo malware distribution site) are registered through the Russian based domain registrar REG.RU.

Feodo Botnet C&C Infrastructure
Looking at the Feodo botnet C&C Infrastructure for this Feodo campaign (version B) shows that all botnet C&C domains are within ccTLD .ru and, again, registered through the Russian based domain registrar REG.RU:

Feodo C&C domains

It’s not the first time criminals are using REG.RU to register malicious domain names. In this case the criminals also decided to host their DNS at REG.RU’s DNS infrastructure. All Feodo botnet C&C domains I’ve seen so far are using REG.RU’s DNS infrastructure as delegated DNS servers:

ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN A
ns1.reg.ru. 345600 IN AAAA 2a00:f940::25
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN A
ns2.reg.ru. 345600 IN AAAA 2a00:f940::37

Hence, you may want to block any DNS query going to REG.RU’s DNS infrastructure to prevent further abuse. But please keep in mind that there are also thousands of legit domain names using REG.RU’s DNS infrastructure, so blocking those DNS servers will cause collateral damage.

My goal is to provide system- and network administrators – as well as Internet Service Providers (ISPs) – the possibility to mitigate the recent Feodo attacks by blocking known bad Feodo C&C botnet traffic at their network edge (such as Router, Firewalls, Web-Proxy and DNS-servers). I hope Feodo Tracker will help to support these efforts. If you have feedback on Feodo Tracker or any other project please feel free to drop me a line using the contact form.

Follow me on Twitter: https://twitter.com/abuse_ch

Further readings