Gameover ZeuS

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

The original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim's computer. The infected computer was then integrated into a botnet, considered to be one of the most sophisticated and secure botnets in the world at the time. The GOZ botnet was particularly notable for its decentralized, peer-to-peer infrastructure, which combined with other security measures such as rootkits made shutting down the botnet extremely difficult. The botnet's activities were additionally directed by an organized crime group headed by Bogachev and referring to itself as the "business club", which was primarily based in Russia and Eastern Europe. The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks, used as both retaliation and as a form of distraction during thefts.

In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar. Bogachev was indicted shortly after and a reward of $3 million was issued for information leading to his arrest, at the time the highest reward for a cybercriminal in history. Less than two months after Operation Tovar was executed, a new strain of GameOver ZeuS was discovered. Named "newGOZ", it lacked peer-to-peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ. The involvement of the original GameOver ZeuS administrators in newGOZ's activity since its creation is disputed.

Botnet structure
Machines infected with GOZ were integrated into a botnet, a system of several devices that could be controlled remotely through the malware. At the peak of GOZ activity from 2012 to 2013, the botnet comprised between 500,000 and one million compromised computers. Botnet-building capabilities were common to all ZeuS variants; however, while previous iterations of the malware created centralized botnets, wherein all infected devices were connected directly to a command-and-control (C2) server, GameOver ZeuS utilized a decentralized, peer-to-peer infrastructure.

The botnet was organized into three layers. The lowest layer was made up of the infected machines, some of which were manually designated "proxy bots" by the criminal group. Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of dedicated servers owned by the group. The second layer served to create distance between the infected machines and the highest layer, from which commands were issued and to which data from the infected machines was sent. This infrastructure made tracing the botnet's C2 servers more difficult, as the botnet herders were only ever directly communicating with a small subset of infected computers at a time. Although the botnet as a whole was structured like this, the network was partitioned into several "sub-botnets", each run by a different botmaster. Up to 27 of these sub-botnets existed, but not all were actively used, with some existing for debugging purposes.

Security
GOZ contained several security features designed to prevent full analysis of the botnet — particularly by restricting the activities of crawlers and sensors — as well as to prevent shutdown attempts. The effectiveness of these mechanisms have led GameOver ZeuS to be considered a sophisticated botnet, with US Deputy Attorney General James M. Cole calling it “the most sophisticated and damaging botnet we have ever encountered”. Cybersecurity researcher Brett Stone-Gross, who was brought on by the Federal Bureau of Investigation to analyze GameOver ZeuS, similarly acknowledged that the botnet was well-secured against the efforts of law enforcement and security experts.

Crawlers were inhibited via various means. Each bot had fifty peers; however, a bot that was requested to provide a list of its peers would only return ten. Additionally, requesting peer lists was rate-limited such that rapid requests from an IP address would result in that address being flagged as a crawler and automatic blacklisting, halting all communications between the flagged IP and the flagging bot. Each bot also had a pre-existing list of blacklisted addresses known to be controlled by security organizations.

Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address. The effect of this was to prevent individuals or groups with one IP address from carrying out sinkholing attacks on the botnet. GOZ's botmasters were known to have carried out DDoS attacks in response to sinkholing attempts.

In the event a GOZ bot was unable to contact any peers, it would use a domain generation algorithm (DGA) to re-establish contact with the C2 servers and obtain a new list of peers. The DGA generated one thousand domains every week and each bot would attempt to contact every domain; this meant that if the botnet's current C2 servers were in danger of being shut down, the botmasters could set up a new server using a domain in the generated list and re-establish control over the network.

A special "debug build" of the malware existed that provided detailed logs regarding the network. The debug build existed to garner insight into security researchers' activities against the botnet and develop appropriate responses. The malware itself was also difficult to remove, owing to a rootkit contained in it. The rootkit, Necurs, was taken from a different piece of malware.

Interface
The interface controlling the botnet could be used to read data logged by the bots and execute commands, including custom scripts. A special token grabber panel existed for man-in-the-browser attacks used to obtain bank login credentials; logging into a bank account usually involves authentication measures in addition to a username and password, such as a one-time-code or security question. The panel existed so that the criminals could quickly and easily request solutions to these measures from the victim. The token grabber panel was titled "World Bank Center", with the slogan "we are playing with your banks". Another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select a "destination account" that money would be indirectly sent to. Botnet managers did not need to use the token grabber panel, as they were allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers.

Activity
GOZ was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies. The emails would contain a link to a compromised website from which the malware was downloaded. These spam emails were sent via a different botnet, Cutwail, that was frequently rented out by cybercriminals to send spam.

From 2011 to 2014, all GameOver ZeuS activity was managed by a single crime syndicate. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out the botnet were known to exist.

Management
The creator and main developer of GameOver ZeuS was Evgeniy "slavik" Bogachev, the creator of the original Zeus Trojan and the immediate predecessor to GOZ, Jabber Zeus.

Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of the business club, mostly Russians and Ukrainians. The network also employed technical support staff for the malware. The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar. Business club members did not exclusively use GOZ and were often members of other malware networks.

In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in the US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work. Money mules were not aware that they were handling stolen funds or working for a criminal syndicate.

Bank theft
GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via keystroke logging. However, the malware was capable of using browser hijacking to bypass two-factor authentication. By presenting the victim with a false version of their bank's login page, a criminal could request whatever code or information was needed to log into the victim's account. Once the victim "logged in" to the false page with this information, they would receive a "please wait" or error screen while the credentials were sent to the criminals. With this information, the malware operators could access the bank account and steal money, usually hundreds of thousands or millions of dollars. In one instance, $6.9 million was stolen from a single victim. In 2013, GOZ accounted for 38% of thefts pursued in this manner. Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to create a diversion. Stolen money was routed through a large network of money mules before it made it to the criminals, hiding its origin and destination from authorities. By June 2014 it was estimated that between $70 million and $100 million had been stolen via GOZ.

The siphoning of money followed the day-night line, beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team was west of them when their shift ended. The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the Russia-China border.

CryptoLocker
In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key. Josephine Wolff, assistant professor of cybersecurity policy at Tufts University, has speculated that the motivation behind pivoting to ransomware was for two reasons: firstly to set up a more secure means of making money off of GOZ, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules, whose loyalties were in question since they did not know they were working for criminals; and secondly to take advantage of the criminals' access to data on infected computers that was significant to victims but was of no value to criminals, such as photographs and emails. Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from.

About 200,000 computers were attacked by Cryptolocker beginning in 2013. The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen. However, Michael Sandee has given a much lower estimate of $3 million for the entire duration of CryptoLocker's activity. Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks.

Espionage
Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine, and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government. The botnet in Ukraine only began to conduct such searches after the country's pro-Russian government collapsed amidst a revolution in 2014. OPEC member states were also targeted. Searches were tailored to the targeted country: searches in Georgia sought information on specific government officials, searches in Turkey looked for information regarding Syria, searches in Ukraine used generic keywords such as "federal security service" and "security agent", and searches in the US looked for documents containing phrases such as "top secret" and "Department of Defense". Botnets used for espionage were run separately from those used for financial crime.

It is unclear who was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Michael Sandee, another participant in the takedown operation, has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep the espionage secret. Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended, despite living openly and under his own name in Russia.

Origins and name
GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1, also known as Jabber Zeus. Jabber Zeus was run by an organized crime syndicate, of which Bogachev was a key member, that had largely dissolved in 2010 due to police action. In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus. In May 2011, the source code for Zeus was leaked, resulting in a proliferation of variants. Graff has suggested the possibility that Bogachev himself was responsible for the leak.

The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel. Other names have included peer-to-peer ZeuS, ZeuS3, and GoZeus.

Shutdown of the botnet
The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed "Operation Tovar". Three previous attempts between 2012 and January 2013 to take down the botnet were unsuccessful, including one attempt in March 2012 by Microsoft to use legal action to have GOZ-controlled servers and domains seized, which failed due to the peer-to-peer architecture of GameOver ZeuS. Planning for Operation Tovar began in 2012, with the Federal Bureau of Investigation beginning to work together with private cybersecurity firms to combat GOZ. By 2014, authorities in the United Kingdom had also provided the FBI with information regarding a GOZ-controlled server in the UK containing records of fraudulent transactions. The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ's botnet infrastructure. Bogachev was identified as the head of the GameOver ZeuS network by cross-referencing the IP address used to access his email with the IP used to administer the botnet; although he had used a VPN, Bogachev had used the same one for both tasks. The Operation Tovar team also reverse-engineered the malware's DGA, allowing them to preempt any attempts to restore the botnet and redirect such attempts to government-controlled servers. GOZ's C2 servers in Canada, Ukraine, and Kazakhstan were seized by authorities, with Ukraine being the first to do so on May 7, 2014. With preparations finished, Operation Tovar began on May 30. The operation was a sinkholing attack that cut off communication between the bots and their command servers, redirecting the communication towards the aforementioned government-controlled servers. The technical details of the operation largely remain classified.

On June 2, the Department of Justice announced the outcome of Operation Tovar. An indictment against Bogachev was also unsealed that same day. However, authorities also warned that the botnet would likely return within two weeks. On July 11, the DOJ stated that as a result of the operation, GOZ infections were down 32 percent. On February 24, 2015, the Justice Department announced a reward of $3 million for information leading to Bogachev's arrest, at the time the largest-ever reward for a cybercriminal.

Re-emergence as "newGOZ"
Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails. Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux, a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies. The origin of and motives for creating the new variant, dubbed "newGOZ", were unclear; Michael Sandee believed newGOZ to be a "trick" to give away the malware's source code and create a distraction for Bogachev to disappear into. However, Malcovery's initial report claimed that the new Trojan represented an earnest attempt to revive the botnet. The original GameOver ZeuS and newGOZ botnets were separate entities; the list of domains generated by their respective DGAs were different, despite the algorithms being similar, and the original GOZ botnet was described by Malcovery as still "locked down".

The new malware was divided into two variants. The variants differed in two areas: the number of domains generated by the DGA, with one generating 1,000 domains per day and the other generating 10,000; and the geographic distribution of infections – the former variant primarily infected systems in the US, and the latter targeted computers in Ukraine and Belarus. On July 25, 2014, it was estimated that 8,494 machines had been infected by newGOZ. Other GOZ variants, including "Zeus-in-the-Middle", which targets mobile phones, have been reported as well. As of 2017, variants of Zeus constitute 28% of all banking malware. However, Sandee has claimed that much of Zeus's market share is being taken away by newer malware.