fbpx
Wikipedia

Gameover ZeuS

April 15, 2024

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

GameOver ZeuS
FBI-produced diagram overviewing GOZ
FamilyZeus
ClassificationTrojan
Infection vectorEmail spam
Author(s)Evgeniy Bogachev

The original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim's computer. The infected computer was then integrated into a botnet, considered to be one of the most sophisticated and secure botnets in the world at the time. The GOZ botnet was particularly notable for its decentralized, peer-to-peer infrastructure, which combined with other security measures such as rootkits made shutting down the botnet extremely difficult. The botnet's activities were additionally directed by an organized crime group headed by Bogachev and referring to itself as the "business club", which was primarily based in Russia and Eastern Europe. The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks, used as both retaliation and as a form of distraction during thefts.

In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar. Bogachev was indicted shortly after and a reward of $3 million was issued for information leading to his arrest, at the time the highest reward for a cybercriminal in history. Less than two months after Operation Tovar was executed, a new strain of GameOver ZeuS was discovered. Named "newGOZ", it lacked peer-to-peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ. The involvement of the original GameOver ZeuS administrators in newGOZ's activity since its creation is disputed.

Technical details edit

Botnet structure edit

Machines infected with GOZ were integrated into a botnet, a system of several devices that could be controlled remotely through the malware. At the peak of GOZ activity from 2012 to 2013, the botnet comprised between 500,000 and one million compromised computers.[1] Botnet-building capabilities were common to all ZeuS variants; however, while previous iterations of the malware created centralized botnets, wherein all infected devices were connected directly to a command-and-control (C2) server, GameOver ZeuS utilized a decentralized, peer-to-peer infrastructure.[2]

The botnet was organized into three layers. The lowest layer was made up of the infected machines, some of which were manually designated "proxy bots" by the criminal group. Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of dedicated servers owned by the group. The second layer served to create distance between the infected machines and the highest layer, from which commands were issued and to which data from the infected machines was sent.[3] This infrastructure made tracing the botnet's C2 servers more difficult, as the botnet herders were only ever directly communicating with a small subset of infected computers at a time.[4] Although the botnet as a whole was structured like this, the network was partitioned into several "sub-botnets", each run by a different botmaster.[5] Up to 27 of these sub-botnets existed, but not all were actively used, with some existing for debugging purposes.[6]

Security edit

GOZ contained several security features designed to prevent full analysis of the botnet — particularly by restricting the activities of crawlers and sensors[a] — as well as to prevent shutdown attempts. The effectiveness of these mechanisms have led GameOver ZeuS to be considered a sophisticated botnet,[9] with US Deputy Attorney General James M. Cole calling it “the most sophisticated and damaging botnet we have ever encountered”.[10] Cybersecurity researcher Brett Stone-Gross, who was brought on by the Federal Bureau of Investigation to analyze GameOver ZeuS, similarly acknowledged that the botnet was well-secured against the efforts of law enforcement and security experts.[11]

Crawlers were inhibited via various means. Each bot had fifty peers;[12] however, a bot that was requested to provide a list of its peers would only return ten.[13] Additionally, requesting peer lists was rate-limited such that rapid requests from an IP address would result in that address being flagged as a crawler and automatic blacklisting,[14] halting all communications between the flagged IP and the flagging bot. Each bot also had a pre-existing list of blacklisted addresses known to be controlled by security organizations.[15]

Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address. The effect of this was to prevent individuals or groups with one IP address from carrying out sinkholing attacks on the botnet.[b][17] GOZ's botmasters were known to have carried out DDoS attacks in response to sinkholing attempts.[18]

In the event a GOZ bot was unable to contact any peers, it would use a domain generation algorithm (DGA) to re-establish contact with the C2 servers and obtain a new list of peers.[19] The DGA generated one thousand domains every week and each bot would attempt to contact every domain; this meant that if the botnet's current C2 servers were in danger of being shut down, the botmasters could set up a new server using a domain in the generated list and re-establish control over the network.[4]

A special "debug build" of the malware existed that provided detailed logs regarding the network. The debug build existed to garner insight into security researchers' activities against the botnet and develop appropriate responses.[20] The malware itself was also difficult to remove, owing to a rootkit contained in it.[21] The rootkit, Necurs, was taken from a different piece of malware.[22]

Interface edit

The interface controlling the botnet could be used to read data logged by the bots and execute commands, including custom scripts.[23] A special token grabber panel existed for man-in-the-browser attacks used to obtain bank login credentials; logging into a bank account usually involves authentication measures in addition to a username and password, such as a one-time-code or security question. The panel existed so that the criminals could quickly and easily request solutions to these measures from the victim.[24] The token grabber panel was titled "World Bank Center", with the slogan "we are playing with your banks".[25] Another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select a "destination account" that money would be indirectly sent to.[26] Botnet managers did not need to use the token grabber panel, as they were allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers.[20]

Activity edit

GOZ was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies. The emails would contain a link to a compromised website from which the malware was downloaded. These spam emails were sent via a different botnet, Cutwail, that was frequently rented out by cybercriminals to send spam.[27]

From 2011 to 2014, all GameOver ZeuS activity was managed by a single crime syndicate. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out the botnet were known to exist.[28]

Management edit

The creator and main developer of GameOver ZeuS was Evgeniy "slavik" Bogachev,[c] the creator of the original Zeus Trojan and the immediate predecessor to GOZ, Jabber Zeus.[25][29]

Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of the business club,[28] mostly Russians and Ukrainians.[30] The network also employed technical support staff for the malware.[6] The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar.[25] Business club members did not exclusively use GOZ and were often members of other malware networks.[31]

In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in the US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work.[32] Money mules were not aware that they were handling stolen funds or working for a criminal syndicate.[33]

Bank theft edit

GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via keystroke logging.[34] However, the malware was capable of using browser hijacking to bypass two-factor authentication. By presenting the victim with a false version of their bank's login page, a criminal could request whatever code or information was needed to log into the victim's account. Once the victim "logged in" to the false page with this information, they would receive a "please wait" or error screen while the credentials were sent to the criminals. With this information, the malware operators could access the bank account and steal money,[24] usually hundreds of thousands or millions of dollars.[28] In one instance, $6.9 million was stolen from a single victim.[35] In 2013, GOZ accounted for 38% of thefts pursued in this manner.[36] Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to create a diversion.[27] Stolen money was routed through a large network of money mules before it made it to the criminals, hiding its origin and destination from authorities.[32] By June 2014 it was estimated that between $70 million and $100 million had been stolen via GOZ.[37][38]

The siphoning of money followed the day-night line, beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team was west of them when their shift ended.[25] The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the Russia-China border.[39]

CryptoLocker edit

Main article: CryptoLocker

In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key.[32] Josephine Wolff, assistant professor of cybersecurity policy at Tufts University,[40] has speculated that the motivation behind pivoting to ransomware was for two reasons: firstly to set up a more secure means of making money off of GOZ, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules,[32] whose loyalties were in question since they did not know they were working for criminals; and secondly to take advantage of the criminals' access to data on infected computers that was significant to victims but was of no value to criminals, such as photographs and emails.[41] Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from.[28]

About 200,000 computers were attacked by Cryptolocker beginning in 2013.[35] The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen.[42] However, Michael Sandee has given a much lower estimate of $3 million for the entire duration of CryptoLocker's activity.[43] Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks.[44]

Espionage edit

Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine,[45] and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government.[46] The botnet in Ukraine only began to conduct such searches after the country's pro-Russian government collapsed amidst a revolution in 2014.[47] OPEC member states were also targeted.[30] Searches were tailored to the targeted country: searches in Georgia sought information on specific government officials, searches in Turkey looked for information regarding Syria, searches in Ukraine used generic keywords such as "federal security service" and "security agent",[48] and searches in the US looked for documents containing phrases such as "top secret" and "Department of Defense".[46] Botnets used for espionage were run separately from those used for financial crime.

It is unclear who was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Michael Sandee, another participant in the takedown operation, has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep the espionage secret.[48] Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended,[49] despite living openly and under his own name in Russia.[46]

History edit

Origins and name edit

GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1, also known as Jabber Zeus.[50] Jabber Zeus was run by an organized crime syndicate, of which Bogachev was a key member, that had largely dissolved in 2010 due to police action.[28] In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus.[51] In May 2011, the source code for Zeus was leaked, resulting in a proliferation of variants.[27][52] Graff has suggested the possibility that Bogachev himself was responsible for the leak.[28]

The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel.[53] Other names have included peer-to-peer ZeuS, ZeuS3,[54] and GoZeus.[55]

Shutdown of the botnet edit

Main article: Operation Tovar

The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed "Operation Tovar".[56] Three previous attempts between 2012 and January 2013 to take down the botnet were unsuccessful,[28] including one attempt in March 2012 by Microsoft to use legal action to have GOZ-controlled servers and domains seized, which failed due to the peer-to-peer architecture of GameOver ZeuS.[27] Planning for Operation Tovar began in 2012, with the Federal Bureau of Investigation beginning to work together with private cybersecurity firms to combat GOZ.[57] By 2014,[28] authorities in the United Kingdom had also provided the FBI with information regarding a GOZ-controlled server in the UK containing records of fraudulent transactions. The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ's botnet infrastructure. Bogachev was identified as the head of the GameOver ZeuS network by cross-referencing the IP address used to access his email with the IP used to administer the botnet;[58] although he had used a VPN, Bogachev had used the same one for both tasks.[59] The Operation Tovar team also reverse-engineered the malware's DGA, allowing them to preempt any attempts to restore the botnet and redirect such attempts to government-controlled servers. GOZ's C2 servers in Canada, Ukraine, and Kazakhstan were seized by authorities,[60] with Ukraine being the first to do so on May 7, 2014.[35] With preparations finished, Operation Tovar began on May 30. The operation was a sinkholing attack that cut off communication between the bots and their command servers, redirecting the communication towards the aforementioned government-controlled servers.[57] The technical details of the operation largely remain classified.[60]

On June 2, the Department of Justice announced the outcome of Operation Tovar. An indictment against Bogachev was also unsealed that same day.[61] However, authorities also warned that the botnet would likely return within two weeks.[62] On July 11, the DOJ stated that as a result of the operation, GOZ infections were down 32 percent.[44] On February 24, 2015, the Justice Department announced a reward of $3 million for information leading to Bogachev's arrest,[63] at the time the largest-ever reward for a cybercriminal.[1][d]

Re-emergence as "newGOZ" edit

Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails. Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux, a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies.[66] The origin of and motives for creating the new variant, dubbed "newGOZ", were unclear; Michael Sandee believed newGOZ to be a "trick" to give away the malware's source code and create a distraction for Bogachev to disappear into.[52] However, Malcovery's initial report claimed that the new Trojan represented an earnest attempt to revive the botnet.[67] The original GameOver ZeuS and newGOZ botnets were separate entities; the list of domains generated by their respective DGAs were different, despite the algorithms being similar, and the original GOZ botnet was described by Malcovery as still "locked down".[68]

The new malware was divided into two variants. The variants differed in two areas: the number of domains generated by the DGA, with one generating 1,000 domains per day and the other generating 10,000; and the geographic distribution of infections – the former variant primarily infected systems in the US, and the latter targeted computers in Ukraine and Belarus.[69] On July 25, 2014, it was estimated that 8,494 machines had been infected by newGOZ.[70] Other GOZ variants, including "Zeus-in-the-Middle", which targets mobile phones, have been reported as well.[71] As of 2017, variants of Zeus constitute 28% of all banking malware.[72] However, Sandee has claimed that much of Zeus's market share is being taken away by newer malware.[52]

See also edit

Similar Russian and Eastern European cybercrime groups:

Similar botnets:

Notes and references edit

Notes edit

  1. ^ In the context of P2P botnet monitoring, a crawler is a program that, using the botnet's communication protocol, requests a given bot's peers, then requests a list of peers from each bot in the original bot's list of peers, and so on until the whole botnet is mapped.[7] A sensor infiltrates the peer list of several bots and logs attempts to contact it from the bots in the network.[8]
  2. ^ Sinkholing is a technique used to take down botnets in which a special sensor is deployed within the botnet. The sensor, also known as a sinkhole, cuts off contact between bots and their controllers.[16]
  3. ^ Also known as "lucky12345" and "Pollingsoon".
  4. ^ This has since been exceeded by the reward of $5 million issued on December 5, 2019, for information leading to Evil Corp head Maksim Yakubets's arrest.[64] Yakubets had previously worked with Bogachev as part of the Jabber Zeus crew.[65]

References edit

  1. ^ a b Wolff 2018, p. 59.
  2. ^ Etaher, Weir & Alazab 2015, p. 1386.
  3. ^ Andriesse et al. 2013, p. 117.
  4. ^ a b Wolff 2018, p. 61.
  5. ^ Andriesse et al. 2013, p. 116.
  6. ^ a b Sandee 2015, p. 6.
  7. ^ Karuppayah 2018, p. 4.
  8. ^ Karuppayah 2018, p. 15.
  9. ^ Karuppayah 2018, p. 44.
  10. ^ Silver, Joe (June 2, 2014). "Governments disrupt botnet "Gameover ZeuS" and ransomware "Cryptolocker"". Ars Technica. from the original on June 5, 2023. Retrieved July 21, 2023.
  11. ^ Stahl, Lesley (April 21, 2019). "The growing partnership between Russia's government and cybercriminals". CBS. from the original on January 18, 2023. Retrieved May 7, 2023.
  12. ^ Karuppayah 2018, p. 40.
  13. ^ Karuppayah 2018, p. 20.
  14. ^ Karuppayah 2018, pp. 22–23.
  15. ^ Karuppayah 2018, p. 31.
  16. ^ Karuppayah 2018, p. 79.
  17. ^ Karuppayah 2018, p. 21.
  18. ^ Karuppayah 2018, p. 23.
  19. ^ Andriesse et al. 2013, p. 118.
  20. ^ a b Sandee 2015, p. 7.
  21. ^ Etaher, Weir & Alazab 2015, p. 1387.
  22. ^ Zorabedian, John (March 4, 2014). "SophosLabs: Gameover banking malware now has a rootkit for better concealment". Sophos News. from the original on May 29, 2023. Retrieved July 20, 2023.
  23. ^ Sandee 2015, p. 15.
  24. ^ a b Sandee 2015, pp. 16–17.
  25. ^ a b c d Krebs, Brian (August 5, 2014). "Inside the $100M 'Business Club' Crime Gang". Krebs on Security. from the original on May 27, 2023. Retrieved July 8, 2023.
  26. ^ Sandee 2015, p. 17.
  27. ^ a b c d Stone-Gross, Brett (July 23, 2012). "The Lifecycle of Peer to Peer (Gameover) ZeuS". Secureworks. from the original on May 28, 2023. Retrieved July 16, 2023.
  28. ^ a b c d e f g h Graff, Garrett M. (March 21, 2017). "Inside the Hunt for Russia's Most Notorious Hacker". WIRED. from the original on April 23, 2023. Retrieved July 8, 2023.
  29. ^ Krebs, Brian (February 25, 2015). "FBI: $3M Bounty for ZeuS Trojan Author". Krebs on Security. from the original on April 7, 2023. Retrieved May 5, 2023.
  30. ^ a b Korolov, Maria (August 7, 2015). "GameOver ZeuS criminals spied on Turkey, Georgia, Ukraine and OPEC". CSO Online. from the original on July 16, 2023. Retrieved July 16, 2023.
  31. ^ Sandee 2015, p. 9.
  32. ^ a b c d Wolff 2018, p. 63.
  33. ^ Wolff 2018, p. 65.
  34. ^ Wolff 2018, p. 62.
  35. ^ a b c Perez, Evan (June 3, 2014). "U.S. takes out computer malware that stole millions". CNN. from the original on June 3, 2023. Retrieved July 21, 2023.
  36. ^ Etaher, Weir & Alazab 2015, p. 1388.
  37. ^ Gross, Garrett (March 2016). "Detecting and destroying botnets". Network Security. 2016 (3): 8. doi:10.1016/S1353-4858(16)30027-7. ISSN 1353-4858. OCLC 6017168570. S2CID 29356524.
  38. ^ Musil, Steven (June 2, 2014). "US disrupts $100M GameOver Zeus malware cybercrime ring". CNET. from the original on July 16, 2023. Retrieved July 16, 2023.
  39. ^ Sandee 2015, pp. 18–20.
  40. ^ Wolff, Josephine (January 27, 2019). "Two-Factor Authentication Might Not Keep You Safe". The New York Times. from the original on June 27, 2023. Retrieved July 23, 2023.
  41. ^ Wolff 2018, pp. 69–70.
  42. ^ Wolff 2018, p. 64.
  43. ^ Sandee 2015, p. 3.
  44. ^ a b Wolff 2018, p. 68.
  45. ^ Sandee 2015, p. 21.
  46. ^ a b c Schwirtz, Michael; Goldstein, Joseph (March 12, 2017). "Russian Espionage Piggybacks on a Cybercriminal's Hacking". The New York Times. from the original on May 25, 2023. Retrieved July 17, 2023.
  47. ^ Stevenson, Alastair (August 6, 2015). "The Russian government may be protecting the creator of the world's most infamous malware". Business Insider. from the original on April 23, 2023. Retrieved July 16, 2023.
  48. ^ a b Brewster, Thomas (August 5, 2015). "FBI 'Most Wanted' Cybercrime Kingpin Linked To Russian Espionage On US Government". Forbes. from the original on May 8, 2023. Retrieved July 16, 2023.
  49. ^ Sandee 2015, p. 23.
  50. ^ Peterson, Sandee & Werner 2015, 8:00–8:33.
  51. ^ Bartz, Diane (October 29, 2010). . Reuters. Archived from the original on December 10, 2022. Retrieved July 23, 2023.
  52. ^ a b c Sandee 2015, p. 5.
  53. ^ Peterson, Sandee & Werner 2015, 7:18–7:27.
  54. ^ Sandee 2015, p. 2.
  55. ^ Hay, Andrew (March 5, 2020). "Gameover ZeuS Switches From P2P to DGA". Cisco Umbrella. from the original on May 30, 2023. Retrieved July 8, 2023.
  56. ^ Krebs, Brian (June 2, 2014). "'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge". Krebs on Security. from the original on June 4, 2023. Retrieved July 21, 2023.
  57. ^ a b Franceschi-Bicchierai, Lorenzo (August 12, 2015). "How the FBI Took Down the Botnet Designed to Be 'Impossible' to Take Down". VICE. from the original on June 22, 2022. Retrieved July 21, 2023.
  58. ^ Wolff 2018, pp. 64–66.
  59. ^ Peterson, Sandee & Werner 2015, 41:06–41:31.
  60. ^ a b Wolff 2018, p. 67.
  61. ^ Trautman, Lawrence J.; Ormerod, Peter C. (Winter 2019). "Wannacry, Ransomware, and the Emerging Threat to Corporations" (PDF). Tennessee Law Review. 86 (2): 512. doi:10.2139/ssrn.3238293. ISSN 0040-3288. OCLC 1304267714. S2CID 169254390. SSRN 3238293. – via ResearchGate
  62. ^ Dignan, Larry (June 2, 2014). "GameOver Zeus botnet seized; Two week window to protect yourself, say authorities". ZDNET. from the original on July 2, 2023. Retrieved July 23, 2023.
  63. ^ Kravets, David (February 24, 2015). "US offers $3 million reward for capture of GameOver ZeuS botnet admin". Ars Technica. from the original on April 16, 2023. Retrieved July 21, 2023.
  64. ^ Dobrynin, Sergei; Krutov, Mark (December 11, 2019). "In Lavish Wedding Photos, Clues To An Alleged Russian Cyberthief's FSB Family Ties". Radio Free Europe. from the original on July 22, 2023. Retrieved July 23, 2023.
  65. ^ Krebs, Brian (November 15, 2022). "Top Zeus Botnet Suspect "Tank" Arrested in Geneva". Krebs on Security. from the original on April 10, 2023. Retrieved May 7, 2023.
  66. ^ Krebs, Brian (July 10, 2014). "Crooks Seek Revival of 'Gameover Zeus' Botnet". Krebs on Security. from the original on February 1, 2023. Retrieved July 7, 2023.
  67. ^ Brewster, Tom (July 11, 2014). "Gameover Zeus returns: thieving malware rises a month after police action". The Guardian. from the original on January 24, 2023. Retrieved July 7, 2023.
  68. ^ Constantin, Lucian (July 11, 2014). "The Gameover Trojan program is back, with some modifications". CSO Online. from the original on July 7, 2023. Retrieved July 7, 2023.
  69. ^ Cosovan, Doina (August 6, 2014). "Gameover Zeus Variants Targeting Ukraine, US". Bitdefender Blog. from the original on May 16, 2022. Retrieved July 8, 2023.
  70. ^ Constantin, Lucian (August 14, 2014). "New Gameover Zeus botnet keeps growing, especially in the US". CSO Online. from the original on July 8, 2023. Retrieved July 8, 2023.
  71. ^ Asher-Dotan, Lital (July 1, 2015). "The FBI vs. GameOver Zeus: Why The DGA-Based Botnet Wins". Malicious Life by Cybereason. from the original on March 7, 2022. Retrieved July 23, 2023.
  72. ^ Gezer, Ali; Warner, Gary; Wilson, Clifford; Shrestha, Prakash (July 2019). "A flow-based approach for Trickbot banking trojan detection". Computers & Security. 84: 180. doi:10.1016/j.cose.2019.03.013. ISSN 0167-4048. OCLC 8027301558. S2CID 88494516.

General sources edit

  • Andriesse, Dennis; Rossow, Christian; Stone-Gross, Brett; Plohmann, Daniel; Bos, Herbert (October 22–24, 2013). "Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus" (PDF). 2013 8th International Conference on Malicious and Unwanted Software: "The Americas". International Conference on Malicious and Unwanted Software. Fajardo: IEEE. pp. 116–123. doi:10.1109/MALWARE.2013.6703693. ISBN 978-1-4799-2534-6. S2CID 18391912.
  • Etaher, Najla; Weir, George R.S.; Alazab, Mamoun (August 20–22, 2015). "From ZeuS to Zitmo: Trends in Banking Malware" (PDF). 2015 IEEE Trustcom/BigDataSE/ISPA. IEEE International Conference on Trust, Security and Privacy in Computing and Communications. Helsinki: IEEE. pp. 1386–1391. doi:10.1109/Trustcom.2015.535. ISBN 978-1-4673-7952-6. OCLC 8622928059. S2CID 2703081.
  • Karuppayah, Shankar (2018). Advanced Monitoring in P2P Botnets: A Dual Perspective. Singapore: Springer. doi:10.1007/978-981-10-9050-9. eISSN 2522-557X. ISBN 978-981-10-9049-3. ISSN 2522-5561. LCCN 2018940630. OCLC 1036733978. S2CID 1919346.
  • Peterson, Elliott; Sandee, Michael; Werner, Tillmann (August 5, 2015). GameOver Zeus: Badguys And Backends (Speech). Black Hat Briefings. Las Vegas. from the original on March 31, 2023. Retrieved May 7, 2023. (Full speech via YouTube.)
  • Sandee, Michael (August 5, 2015). GameOver ZeuS: Backgrounds on the Badguys and the Backends (PDF). Black Hat Briefings. Las Vegas.
  • Wolff, Josephine (2018). You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches. Cambridge, MA: The MIT Press. ISBN 9780262038850. LCCN 2018010219. OCLC 1029793778. S2CID 159378060.

External links edit

  • Wanted poster of Bogachev
  • Indictment of Bogachev for ZeuS-facilitated crimes

April 15, 2024
gameover, zeus, gameover, zeus, also, known, peer, peer, zeus, zeus3, gozeus, trojan, horse, developed, russian, cybercriminal, evgeniy, bogachev, created, 2011, successor, jabber, zeus, another, project, bogachev, malware, notorious, usage, bank, fraud, resul. GameOver ZeuS GOZ also known as peer to peer P2P ZeuS ZeuS3 and GoZeus is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev Created in 2011 as a successor to Jabber Zeus another project of Bogachev s the malware is notorious for its usage in bank fraud resulting in damages of approximately 100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted resulting in millions of dollars of losses At the peak of its activity in 2012 and 2013 between 500 000 and 1 million computers were infected with GameOver ZeuS GameOver ZeuSFBI produced diagram overviewing GOZFamilyZeusClassificationTrojanInfection vectorEmail spamAuthor s Evgeniy BogachevThe original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim s computer The infected computer was then integrated into a botnet considered to be one of the most sophisticated and secure botnets in the world at the time The GOZ botnet was particularly notable for its decentralized peer to peer infrastructure which combined with other security measures such as rootkits made shutting down the botnet extremely difficult The botnet s activities were additionally directed by an organized crime group headed by Bogachev and referring to itself as the business club which was primarily based in Russia and Eastern Europe The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks used as both retaliation and as a form of distraction during thefts In 2014 the original GameOver ZeuS botnet was shut down by a collaboration between several countries law enforcement and private cybersecurity firms named Operation Tovar Bogachev was indicted shortly after and a reward of 3 million was issued for information leading to his arrest at the time the highest reward for a cybercriminal in history Less than two months after Operation Tovar was executed a new strain of GameOver ZeuS was discovered Named newGOZ it lacked peer to peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ The involvement of the original GameOver ZeuS administrators in newGOZ s activity since its creation is disputed Contents 1 Technical details 1 1 Botnet structure 1 2 Security 1 3 Interface 2 Activity 2 1 Management 2 2 Bank theft 2 3 CryptoLocker 2 4 Espionage 3 History 3 1 Origins and name 3 2 Shutdown of the botnet 3 3 Re emergence as newGOZ 4 See also 5 Notes and references 5 1 Notes 5 2 References 6 General sources 7 External linksTechnical details editBotnet structure edit Machines infected with GOZ were integrated into a botnet a system of several devices that could be controlled remotely through the malware At the peak of GOZ activity from 2012 to 2013 the botnet comprised between 500 000 and one million compromised computers 1 Botnet building capabilities were common to all ZeuS variants however while previous iterations of the malware created centralized botnets wherein all infected devices were connected directly to a command and control C2 server GameOver ZeuS utilized a decentralized peer to peer infrastructure 2 The botnet was organized into three layers The lowest layer was made up of the infected machines some of which were manually designated proxy bots by the criminal group Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of dedicated servers owned by the group The second layer served to create distance between the infected machines and the highest layer from which commands were issued and to which data from the infected machines was sent 3 This infrastructure made tracing the botnet s C2 servers more difficult as the botnet herders were only ever directly communicating with a small subset of infected computers at a time 4 Although the botnet as a whole was structured like this the network was partitioned into several sub botnets each run by a different botmaster 5 Up to 27 of these sub botnets existed but not all were actively used with some existing for debugging purposes 6 Security edit GOZ contained several security features designed to prevent full analysis of the botnet particularly by restricting the activities of crawlers and sensors a as well as to prevent shutdown attempts The effectiveness of these mechanisms have led GameOver ZeuS to be considered a sophisticated botnet 9 with US Deputy Attorney General James M Cole calling it the most sophisticated and damaging botnet we have ever encountered 10 Cybersecurity researcher Brett Stone Gross who was brought on by the Federal Bureau of Investigation to analyze GameOver ZeuS similarly acknowledged that the botnet was well secured against the efforts of law enforcement and security experts 11 Crawlers were inhibited via various means Each bot had fifty peers 12 however a bot that was requested to provide a list of its peers would only return ten 13 Additionally requesting peer lists was rate limited such that rapid requests from an IP address would result in that address being flagged as a crawler and automatic blacklisting 14 halting all communications between the flagged IP and the flagging bot Each bot also had a pre existing list of blacklisted addresses known to be controlled by security organizations 15 Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address The effect of this was to prevent individuals or groups with one IP address from carrying out sinkholing attacks on the botnet b 17 GOZ s botmasters were known to have carried out DDoS attacks in response to sinkholing attempts 18 In the event a GOZ bot was unable to contact any peers it would use a domain generation algorithm DGA to re establish contact with the C2 servers and obtain a new list of peers 19 The DGA generated one thousand domains every week and each bot would attempt to contact every domain this meant that if the botnet s current C2 servers were in danger of being shut down the botmasters could set up a new server using a domain in the generated list and re establish control over the network 4 A special debug build of the malware existed that provided detailed logs regarding the network The debug build existed to garner insight into security researchers activities against the botnet and develop appropriate responses 20 The malware itself was also difficult to remove owing to a rootkit contained in it 21 The rootkit Necurs was taken from a different piece of malware 22 Interface edit The interface controlling the botnet could be used to read data logged by the bots and execute commands including custom scripts 23 A special token grabber panel existed for man in the browser attacks used to obtain bank login credentials logging into a bank account usually involves authentication measures in addition to a username and password such as a one time code or security question The panel existed so that the criminals could quickly and easily request solutions to these measures from the victim 24 The token grabber panel was titled World Bank Center with the slogan we are playing with your banks 25 Another panel existed to facilitate the siphoning of money from bank accounts allowing the user to select a destination account that money would be indirectly sent to 26 Botnet managers did not need to use the token grabber panel as they were allowed to load their own scripts to use against infected systems with the caveat that they could not attack Russian computers 20 Activity editGOZ was spread using spam emails impersonating various groups such as online retailers financial institutions and cell phone companies The emails would contain a link to a compromised website from which the malware was downloaded These spam emails were sent via a different botnet Cutwail that was frequently rented out by cybercriminals to send spam 27 From 2011 to 2014 all GameOver ZeuS activity was managed by a single crime syndicate The syndicate primarily used GOZ to engage in bank fraud and extortion however other revenue streams such as click fraud and renting out the botnet were known to exist 28 Management edit The creator and main developer of GameOver ZeuS was Evgeniy slavik Bogachev c the creator of the original Zeus Trojan and the immediate predecessor to GOZ Jabber Zeus 25 29 Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the business club The business club consisted mostly of criminals who had paid a fee to be able to use GOZ s interface By 2014 there were around fifty members of the business club 28 mostly Russians and Ukrainians 30 The network also employed technical support staff for the malware 6 The criminal network s members were spread across Russia but the core members such as Bogachev were mainly based in Krasnodar 25 Business club members did not exclusively use GOZ and were often members of other malware networks 31 In addition to the business club a large number of money mules were recruited to launder stolen funds Mules based in the US to avoid suspicion were recruited through spam emails sent by the GOZ botnet offering part time work 32 Money mules were not aware that they were handling stolen funds or working for a criminal syndicate 33 Bank theft edit GameOver ZeuS was typically used to steal banking credentials commonly from hospitals This was primarily done via keystroke logging 34 However the malware was capable of using browser hijacking to bypass two factor authentication By presenting the victim with a false version of their bank s login page a criminal could request whatever code or information was needed to log into the victim s account Once the victim logged in to the false page with this information they would receive a please wait or error screen while the credentials were sent to the criminals With this information the malware operators could access the bank account and steal money 24 usually hundreds of thousands or millions of dollars 28 In one instance 6 9 million was stolen from a single victim 35 In 2013 GOZ accounted for 38 of thefts pursued in this manner 36 Beginning in November 2011 the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money in order to prevent the victim from logging in and to create a diversion 27 Stolen money was routed through a large network of money mules before it made it to the criminals hiding its origin and destination from authorities 32 By June 2014 it was estimated that between 70 million and 100 million had been stolen via GOZ 37 38 The siphoning of money followed the day night line beginning in Australia and ending in the United States Criminals involved in money movement worked nine to five shifts from Monday to Friday handing over responsibilities to whatever team was west of them when their shift ended 25 The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe two regions in China s Heilongjiang province on the Russia China border 39 CryptoLocker edit Main article CryptoLocker In 2013 the business club began to use GameOver ZeuS to distribute CryptoLocker a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key 32 Josephine Wolff assistant professor of cybersecurity policy at Tufts University 40 has speculated that the motivation behind pivoting to ransomware was for two reasons firstly to set up a more secure means of making money off of GOZ as ransomware could take money from victims for less work on the criminals ends and the anonymous payment methods did not need to be laundered through money mules 32 whose loyalties were in question since they did not know they were working for criminals and secondly to take advantage of the criminals access to data on infected computers that was significant to victims but was of no value to criminals such as photographs and emails 41 Journalist Garrett Graff has also suggested that ransomware served to transform dead weight into profit by extracting money from victims whose bank balances were too small to warrant directly stealing from 28 About 200 000 computers were attacked by Cryptolocker beginning in 2013 35 The amount of money Bogachev and associates made from CryptoLocker is unclear Wolff claimed that in a one month period from October to December 2013 alone 27 million was stolen 42 However Michael Sandee has given a much lower estimate of 3 million for the entire duration of CryptoLocker s activity 43 Wolff has argued that GameOver ZeuS s legacy lies not in its innovative P2P botnet structure but in the precedent it set in CryptoLocker for future ransomware attacks 44 Espionage edit Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers particularly in Georgia Turkey Ukraine 45 and the United States leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government 46 The botnet in Ukraine only began to conduct such searches after the country s pro Russian government collapsed amidst a revolution in 2014 47 OPEC member states were also targeted 30 Searches were tailored to the targeted country searches in Georgia sought information on specific government officials searches in Turkey looked for information regarding Syria searches in Ukraine used generic keywords such as federal security service and security agent 48 and searches in the US looked for documents containing phrases such as top secret and Department of Defense 46 Botnets used for espionage were run separately from those used for financial crime It is unclear who was responsible for the espionage operations while security researcher Tillman Werner who helped to take down the original GOZ botnet has suggested the possibility of a partner or client being involved Michael Sandee another participant in the takedown operation has claimed that Bogachev was primarily or solely responsible arguing that he had sole access to the malware s surveillance protocols and that because his circle of criminal associates included Ukrainians he would have to keep the espionage secret 48 Sandee has speculated that the botnet s usage for espionage afforded Bogachev a level of protection that can explain why he has yet to be apprehended 49 despite living openly and under his own name in Russia 46 History editOrigins and name edit GameOver ZeuS was created on September 11 2011 as an update to Zeus 2 1 also known as Jabber Zeus 50 Jabber Zeus was run by an organized crime syndicate of which Bogachev was a key member that had largely dissolved in 2010 due to police action 28 In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus s code to a competitor Security researchers viewed the move with skepticism as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus 51 In May 2011 the source code for Zeus was leaked resulting in a proliferation of variants 27 52 Graff has suggested the possibility that Bogachev himself was responsible for the leak 28 The name GameOver ZeuS was invented by security researchers and comes from a file named gameover2 php used by the C2 channel 53 Other names have included peer to peer ZeuS ZeuS3 54 and GoZeus 55 Shutdown of the botnet edit Main article Operation Tovar The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed Operation Tovar 56 Three previous attempts between 2012 and January 2013 to take down the botnet were unsuccessful 28 including one attempt in March 2012 by Microsoft to use legal action to have GOZ controlled servers and domains seized which failed due to the peer to peer architecture of GameOver ZeuS 27 Planning for Operation Tovar began in 2012 with the Federal Bureau of Investigation beginning to work together with private cybersecurity firms to combat GOZ 57 By 2014 28 authorities in the United Kingdom had also provided the FBI with information regarding a GOZ controlled server in the UK containing records of fraudulent transactions The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ s botnet infrastructure Bogachev was identified as the head of the GameOver ZeuS network by cross referencing the IP address used to access his email with the IP used to administer the botnet 58 although he had used a VPN Bogachev had used the same one for both tasks 59 The Operation Tovar team also reverse engineered the malware s DGA allowing them to preempt any attempts to restore the botnet and redirect such attempts to government controlled servers GOZ s C2 servers in Canada Ukraine and Kazakhstan were seized by authorities 60 with Ukraine being the first to do so on May 7 2014 35 With preparations finished Operation Tovar began on May 30 The operation was a sinkholing attack that cut off communication between the bots and their command servers redirecting the communication towards the aforementioned government controlled servers 57 The technical details of the operation largely remain classified 60 On June 2 the Department of Justice announced the outcome of Operation Tovar An indictment against Bogachev was also unsealed that same day 61 However authorities also warned that the botnet would likely return within two weeks 62 On July 11 the DOJ stated that as a result of the operation GOZ infections were down 32 percent 44 On February 24 2015 the Justice Department announced a reward of 3 million for information leading to Bogachev s arrest 63 at the time the largest ever reward for a cybercriminal 1 d Re emergence as newGOZ edit Five weeks after Operation Tovar was executed security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails Despite sharing around ninety percent of its code base with previous GOZ versions the new malware did not establish a peer to peer botnet opting to create a botnet structure using fast flux a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies 66 The origin of and motives for creating the new variant dubbed newGOZ were unclear Michael Sandee believed newGOZ to be a trick to give away the malware s source code and create a distraction for Bogachev to disappear into 52 However Malcovery s initial report claimed that the new Trojan represented an earnest attempt to revive the botnet 67 The original GameOver ZeuS and newGOZ botnets were separate entities the list of domains generated by their respective DGAs were different despite the algorithms being similar and the original GOZ botnet was described by Malcovery as still locked down 68 The new malware was divided into two variants The variants differed in two areas the number of domains generated by the DGA with one generating 1 000 domains per day and the other generating 10 000 and the geographic distribution of infections the former variant primarily infected systems in the US and the latter targeted computers in Ukraine and Belarus 69 On July 25 2014 it was estimated that 8 494 machines had been infected by newGOZ 70 Other GOZ variants including Zeus in the Middle which targets mobile phones have been reported as well 71 As of 2017 variants of Zeus constitute 28 of all banking malware 72 However Sandee has claimed that much of Zeus s market share is being taken away by newer malware 52 See also editTimeline of computer viruses and wormsSimilar Russian and Eastern European cybercrime groups Avalanche used botnets and email spam Berserk Bear advanced persistent threat known to employ cybercriminals REvil employed ransomwareSimilar botnets Conficker an extremely prolific botnet at its peak Sality another peer to peer botnet Torpig another botnet spread through Trojan horses Tiny Banker Trojan derived from Zeus ZeroAccess botnet also P2P and spread via TrojansNotes and references editNotes edit In the context of P2P botnet monitoring a crawler is a program that using the botnet s communication protocol requests a given bot s peers then requests a list of peers from each bot in the original bot s list of peers and so on until the whole botnet is mapped 7 A sensor infiltrates the peer list of several bots and logs attempts to contact it from the bots in the network 8 Sinkholing is a technique used to take down botnets in which a special sensor is deployed within the botnet The sensor also known as a sinkhole cuts off contact between bots and their controllers 16 Also known as lucky12345 and Pollingsoon This has since been exceeded by the reward of 5 million issued on December 5 2019 for information leading to Evil Corp head Maksim Yakubets s arrest 64 Yakubets had previously worked with Bogachev as part of the Jabber Zeus crew 65 References edit a b Wolff 2018 p 59 Etaher Weir amp Alazab 2015 p 1386 Andriesse et al 2013 p 117 a b Wolff 2018 p 61 Andriesse et al 2013 p 116 a b Sandee 2015 p 6 Karuppayah 2018 p 4 Karuppayah 2018 p 15 Karuppayah 2018 p 44 Silver Joe June 2 2014 Governments disrupt botnet Gameover ZeuS and ransomware Cryptolocker Ars Technica Archived from the original on June 5 2023 Retrieved July 21 2023 Stahl Lesley April 21 2019 The growing partnership between Russia s government and cybercriminals CBS Archived from the original on January 18 2023 Retrieved May 7 2023 Karuppayah 2018 p 40 Karuppayah 2018 p 20 Karuppayah 2018 pp 22 23 Karuppayah 2018 p 31 Karuppayah 2018 p 79 Karuppayah 2018 p 21 Karuppayah 2018 p 23 Andriesse et al 2013 p 118 a b Sandee 2015 p 7 Etaher Weir amp Alazab 2015 p 1387 Zorabedian John March 4 2014 SophosLabs Gameover banking malware now has a rootkit for better concealment Sophos News Archived from the original on May 29 2023 Retrieved July 20 2023 Sandee 2015 p 15 a b Sandee 2015 pp 16 17 a b c d Krebs Brian August 5 2014 Inside the 100M Business Club Crime Gang Krebs on Security Archived from the original on May 27 2023 Retrieved July 8 2023 Sandee 2015 p 17 a b c d Stone Gross Brett July 23 2012 The Lifecycle of Peer to Peer Gameover ZeuS Secureworks Archived from the original on May 28 2023 Retrieved July 16 2023 a b c d e f g h Graff Garrett M March 21 2017 Inside the Hunt for Russia s Most Notorious Hacker WIRED Archived from the original on April 23 2023 Retrieved July 8 2023 Krebs Brian February 25 2015 FBI 3M Bounty for ZeuS Trojan Author Krebs on Security Archived from the original on April 7 2023 Retrieved May 5 2023 a b Korolov Maria August 7 2015 GameOver ZeuS criminals spied on Turkey Georgia Ukraine and OPEC CSO Online Archived from the original on July 16 2023 Retrieved July 16 2023 Sandee 2015 p 9 a b c d Wolff 2018 p 63 Wolff 2018 p 65 Wolff 2018 p 62 a b c Perez Evan June 3 2014 U S takes out computer malware that stole millions CNN Archived from the original on June 3 2023 Retrieved July 21 2023 Etaher Weir amp Alazab 2015 p 1388 Gross Garrett March 2016 Detecting and destroying botnets Network Security 2016 3 8 doi 10 1016 S1353 4858 16 30027 7 ISSN 1353 4858 OCLC 6017168570 S2CID 29356524 Musil Steven June 2 2014 US disrupts 100M GameOver Zeus malware cybercrime ring CNET Archived from the original on July 16 2023 Retrieved July 16 2023 Sandee 2015 pp 18 20 Wolff Josephine January 27 2019 Two Factor Authentication Might Not Keep You Safe The New York Times Archived from the original on June 27 2023 Retrieved July 23 2023 Wolff 2018 pp 69 70 Wolff 2018 p 64 Sandee 2015 p 3 a b Wolff 2018 p 68 Sandee 2015 p 21 a b c Schwirtz Michael Goldstein Joseph March 12 2017 Russian Espionage Piggybacks on a Cybercriminal s Hacking The New York Times Archived from the original on May 25 2023 Retrieved July 17 2023 Stevenson Alastair August 6 2015 The Russian government may be protecting the creator of the world s most infamous malware Business Insider Archived from the original on April 23 2023 Retrieved July 16 2023 a b Brewster Thomas August 5 2015 FBI Most Wanted Cybercrime Kingpin Linked To Russian Espionage On US Government Forbes Archived from the original on May 8 2023 Retrieved July 16 2023 Sandee 2015 p 23 Peterson Sandee amp Werner 2015 8 00 8 33 Bartz Diane October 29 2010 Analysis Top hacker retires experts brace for his return Reuters Archived from the original on December 10 2022 Retrieved July 23 2023 a b c Sandee 2015 p 5 Peterson Sandee amp Werner 2015 7 18 7 27 Sandee 2015 p 2 Hay Andrew March 5 2020 Gameover ZeuS Switches From P2P to DGA Cisco Umbrella Archived from the original on May 30 2023 Retrieved July 8 2023 Krebs Brian June 2 2014 Operation Tovar Targets Gameover ZeuS Botnet CryptoLocker Scourge Krebs on Security Archived from the original on June 4 2023 Retrieved July 21 2023 a b Franceschi Bicchierai Lorenzo August 12 2015 How the FBI Took Down the Botnet Designed to Be Impossible to Take Down VICE Archived from the original on June 22 2022 Retrieved July 21 2023 Wolff 2018 pp 64 66 Peterson Sandee amp Werner 2015 41 06 41 31 a b Wolff 2018 p 67 Trautman Lawrence J Ormerod Peter C Winter 2019 Wannacry Ransomware and the Emerging Threat to Corporations PDF Tennessee Law Review 86 2 512 doi 10 2139 ssrn 3238293 ISSN 0040 3288 OCLC 1304267714 S2CID 169254390 SSRN 3238293 via ResearchGate Dignan Larry June 2 2014 GameOver Zeus botnet seized Two week window to protect yourself say authorities ZDNET Archived from the original on July 2 2023 Retrieved July 23 2023 Kravets David February 24 2015 US offers 3 million reward for capture of GameOver ZeuS botnet admin Ars Technica Archived from the original on April 16 2023 Retrieved July 21 2023 Dobrynin Sergei Krutov Mark December 11 2019 In Lavish Wedding Photos Clues To An Alleged Russian Cyberthief s FSB Family Ties Radio Free Europe Archived from the original on July 22 2023 Retrieved July 23 2023 Krebs Brian November 15 2022 Top Zeus Botnet Suspect Tank Arrested in Geneva Krebs on Security Archived from the original on April 10 2023 Retrieved May 7 2023 Krebs Brian July 10 2014 Crooks Seek Revival of Gameover Zeus Botnet Krebs on Security Archived from the original on February 1 2023 Retrieved July 7 2023 Brewster Tom July 11 2014 Gameover Zeus returns thieving malware rises a month after police action The Guardian Archived from the original on January 24 2023 Retrieved July 7 2023 Constantin Lucian July 11 2014 The Gameover Trojan program is back with some modifications CSO Online Archived from the original on July 7 2023 Retrieved July 7 2023 Cosovan Doina August 6 2014 Gameover Zeus Variants Targeting Ukraine US Bitdefender Blog Archived from the original on May 16 2022 Retrieved July 8 2023 Constantin Lucian August 14 2014 New Gameover Zeus botnet keeps growing especially in the US CSO Online Archived from the original on July 8 2023 Retrieved July 8 2023 Asher Dotan Lital July 1 2015 The FBI vs GameOver Zeus Why The DGA Based Botnet Wins Malicious Life by Cybereason Archived from the original on March 7 2022 Retrieved July 23 2023 Gezer Ali Warner Gary Wilson Clifford Shrestha Prakash July 2019 A flow based approach for Trickbot banking trojan detection Computers amp Security 84 180 doi 10 1016 j cose 2019 03 013 ISSN 0167 4048 OCLC 8027301558 S2CID 88494516 General sources editAndriesse Dennis Rossow Christian Stone Gross Brett Plohmann Daniel Bos Herbert October 22 24 2013 Highly Resilient Peer to Peer Botnets Are Here An Analysis of Gameover Zeus PDF 2013 8th International Conference on Malicious and Unwanted Software The Americas International Conference on Malicious and Unwanted Software Fajardo IEEE pp 116 123 doi 10 1109 MALWARE 2013 6703693 ISBN 978 1 4799 2534 6 S2CID 18391912 Etaher Najla Weir George R S Alazab Mamoun August 20 22 2015 From ZeuS to Zitmo Trends in Banking Malware PDF 2015 IEEE Trustcom BigDataSE ISPA IEEE International Conference on Trust Security and Privacy in Computing and Communications Helsinki IEEE pp 1386 1391 doi 10 1109 Trustcom 2015 535 ISBN 978 1 4673 7952 6 OCLC 8622928059 S2CID 2703081 Karuppayah Shankar 2018 Advanced Monitoring in P2P Botnets A Dual Perspective Singapore Springer doi 10 1007 978 981 10 9050 9 eISSN 2522 557X ISBN 978 981 10 9049 3 ISSN 2522 5561 LCCN 2018940630 OCLC 1036733978 S2CID 1919346 Peterson Elliott Sandee Michael Werner Tillmann August 5 2015 GameOver Zeus Badguys And Backends Speech Black Hat Briefings Las Vegas Archived from the original on March 31 2023 Retrieved May 7 2023 Full speech via YouTube Sandee Michael August 5 2015 GameOver ZeuS Backgrounds on the Badguys and the Backends PDF Black Hat Briefings Las Vegas Wolff Josephine 2018 You ll See This Message When It Is Too Late The Legal and Economic Aftermath of Cybersecurity Breaches Cambridge MA The MIT Press ISBN 9780262038850 LCCN 2018010219 OCLC 1029793778 S2CID 159378060 External links editWanted poster of Bogachev Indictment of Bogachev for ZeuS facilitated crimes Retrieved from https en wikipedia org w index php title Gameover ZeuS amp oldid 1192703556, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.