A U.S.-led international operation disrupted a crime ring that infected hundreds of thousands of computers around the globe with malicious software used for stealing banking credentials and extorting computer owners, the Justice Department said on Monday.
- U.S. cyberespionage charges laid against Chinese military
- BlackShades cybercrime ring busted in global raids
- Cybercriminals are eyeing these 5 targets in 2014
Authorities in nearly a dozen countries, including Canada, worked with private security companies to wrest control of the network of infected machines, known by the name of its master software, Gameover Zeus.
Court documents released on Monday said that between 500,000 and 1 million machines worldwide were infected with the malicious software, which was derived from the original "Zeus" trojan for stealing financial passwords that emerged in 2006.
Officials charged a Russian man with hacking, fraud and money-laundering, and court documents suggested they suspect he wrote Zeus, one of the most effective pieces of theft software ever found.
In addition to stealing from the online accounts of businesses and consumers, the Gameover Zeus crew installed other malicious programs, including one called Cryptolocker that encrypted files and demanded payments for their release. Cryptolocker alone infected more than 234,000 machines and won $27 million in ransom payments in just its first two months, the Justice Department said.
'Highly sophisticated and immensely lucrative'
The two programs together brought the gang more than $100 million, prosecutors said in court documents, including $198,000 in an unauthorized wire transfer from an unnamed Pennsylvania materials company and $750 in ransom from a police department in Massachusetts that had its investigative files encrypted.
What is a botnet?
Typically a 'bot' is installed on a machine through a trojan, an insidious program that can find its way into an insufficiently protected computer in a variety of ways, such as when a user clicks on a link to an infected web page or e-mail message, views an infected document, or runs an infected program.
Once the bot has made itself at home, it "opens the doors" of its new host computer to its master, who can instruct the machine to engage in various nefarious activities such as sending out spam and phishing e-mails, or launching distributed denial of service or DDOS attacks.
In some cases, these nasty little robots can steal personal data and return it to a central site to be used for identity theft purposes.
"These schemes were highly sophisticated and immensely lucrative, and the cyber criminals did not make them easy to reach or disrupt," Leslie Caldwell, who heads the U.S. Justice Department's criminal division, told a news conference.
The Gameover Zeus "botnet" — short for robot network — is the largest so far disrupted that relied on a peer-to-peer distribution method, where thousands of computers could reinfect and update each other, said Dell expert Brett Stone-Gross, who assisted the FBI.
A botnet, or robot network, is a group of web-linked computers — sometimes called zombies — that have been commandeered, in some instances by criminals, to perpetrate all kinds of online nastiness.
"We took control of the bots, so they would only talk with our infrastructure," Stone-Gross said.
A civil suit in Pennsylvania helped authorities get court orders to seize parts of the infected network, and on May 7, Ukrainian authorities seized and copied Gameover Zeus command servers in Kiev and Donetsk, officials said.
U.S. and other agents worked from early Friday through the weekend to seize servers around the world, freeing some 300,000 victim computers from the botnet so far.
A criminal complaint unsealed Monday in Nebraska, meanwhile, accused Russian Evgeniy Mikhaylovich Bogachev and others of participating in the conspiracy.
U.S. officials said Bogachev was last known to be living in the Black Sea resort town of Anapa. In an FBI affidavit filed in the Nebraska case, an agent cited online chats in which aliases associated with Bogachev claimed authorship of the original Zeus trojan, which has infected more than 13 million computers and is blamed for hundreds of millions of dollars in losses.
"That's what he claimed. There were probably a number of people involved," said Dmitri Alperovitch, co-founder of security firm CrowdStrike, which also worked with the FBI. A person familiar with the case said that Bogachev's ICQ number, which is an assigned Internet chat query identifier, matched that of the known Zeus author.
Attempts to reach Bogachev were unsuccessful. The FBI declined to comment on Zeus' authorship, citing the ongoing investigation, and Justice Department officials did not respond to questions on the issue.
Zeus's code has since been publicly released, and many variants are still being used by gangs large and small.
"Zeus is probably the most prolific and effective piece of malware discovered since 2006," said Lance James, head of cyber-intelligence at consultancy Deloitte & Touche, which also helped authorities.
Russia does not extradite accused criminals to other countries, so Bogachev may never be arrested. He was named as part of a new policy on aggressively exposing even those the United States has little hope of catching.
The recent crackdown includes the indictment of five members of China's People's Liberation Army for alleged economic espionage, which prompted denials and an angry response from Chinese authorities.
"This is the new normal," Robert Anderson, the top FBI official in charge of combating cyber crime said at a news conference announcing the Russian action.
When asked whether Russian authorities would turn Bogachev over to the United States, Deputy Attorney General James Cole said "as far as Russia, we are in contact with them and we've been having discussions with them about moving forward and about trying to get custody of Mr. Bogachev," but declined to provide further detail of those talks.
The shutdown of Gameover Zeus may not last. Other botnets have resurfaced as criminals regained at least partial control of their networks. Officials at the UK's National Crime Agency said in an "urgent warning" that users might have only two weeks to clean their computers from traces of the infection.
The European Cybercrime Centre also participated in the operation, along with Australia, Canada, France, Germany, Italy, Japan, Luxembourg, New Zealand and Ukraine.