Gameover Zeus and CryptoLocker botnets reach a million PCs

News by Steve Gold

New estimates on the Gameover Zeus and CryptoLocker botnets suggest that they have infected as many as one million PCs.

The fallout from Operation Tovar, in which the US Department of Justice (DoJ), the FBI, Europol and the National Crime Agency (NCA) have been cooperating to take down servers controlling widespread Gameover Zeus and CryptoLocker infection botnets, has rumbled on with a US judge allowing the DoJ to continue intercepting data from the 350,000-strong botnet of computers around the world.

The DoJ - which is effectively now controlling the botnet from its own secure servers - says that the total number of Gameover Zeus infected computers worldwide may be as high as a million PCs.

At the same time, the UK's NCA appears to have been quietly working behind the scenes with ISPs to alert their customers that they have one or more PCs infected with the Gameover Zeus malware. Unconfirmed reports suggest that some Internet users have already been contacted by their ISPs.

According to the DoJ, it now has court permission from US District Judge Arthur Schwab to allow it to continue communicating with at least 350,000 infected PCs that were previously controlled by a cybercriminal gang that is led by 30-year-old Evgeniy Bogachev, who is now on the FBI's most wanted list.

As reported yesterday, Bogachev's arrest by Russian authorities is now looking very likely.

As well as being one of the largest botnets in Internet history, the scale of Bogachev's operation is only now becoming apparent, with the US DoJ reporting companies losing many millions of dollars as the cybercriminals siphon money from their bank accounts.  

The court hearing to extend the DoJ's access to the botnet swarm tool place in Pittsburgh, where the Justice Department has charged Bogachev with siphoning more than US$ 370,000 (£220,000) from a Pennsylvania-based plastics firm, using Gameover Zeus to extract the firm's online banking credentials. also understands that several botnet servers in Canada, Kazakhstan and Ukraine have been progressively taken down since the weekend, all of which were used to infect computers with the CryptoLocker ransomware. The US DoJ says that victims included the Swansea, Massachusetts, police department, which paid a US$ 750 (£450) Bitcoin ransom to regain access to its files.

CryptoLocker - 230,000 PCs infected to date

Reading through Judge Schwab's court documents reveals that the FBI is aware of at least 230,000 infected PCs - 120,000 of which are in the US - that have been successfully hit by CryptoLocker, although it is unknown, says FBI Special Agent Elliott Peterson - author of the FBI report submitted to court - how many of these paid a ransom to regain control of their machines. 

One of the most interesting takeouts from the report is the claim that the 230,000 CryptoLocker botnet is running in parallel with the Gameover Zeus malware, suggesting that the two botnet swarms may include as many as 1.23 million infected PC.

Back in the UK, meanwhile, and the NCA now warns that internet users "may receive notifications from their Internet Service Providers that they are a victim of this malware and are advised to back up all important information, such as files, photography and videos."

"Where a computer infected with GOZeuS turns out not to offer a significant financial reward, it can ‘call in' CryptoLocker, to give the criminal controllers a second opportunity to acquire funds from the victim," says the agency in its updated analysis.

According to Adrian Davis, EMEA managing director of the not-for-profit IT security association, (ISC)2, the combined - and apparently heroic - effort from the NCA and the FBI to take out the heart of the botnets is a significant development.

Unfortunately, he warned, it is unlikely to make much of a dent in the current threat that is coming from cybercriminals.

"We have seen a great precedent and strong message that cybercrime is being taken seriously by law enforcement. However, the fact that this take down is temporary is the real story that people must come to grips with," he said.

"The botnet behind the malware is designed to sustain itself finding new unprotected computers to replace those lost to the network. Anybody's computer could be brought into the net and we must assume there are other similar threats that have not yet been suspended," he added.

Davis went on to say that the value in this operation therefore can only be realised if people wake up to the threat and take precautions to secure their PCs.

"With personal bank accounts, photos and documents at risk, we have to hope that this news provides the wake-up call needed.  We in the information security industry must work to ensure it is heeded," he said, adding that, overall, a systemic approach to fighting this type of crime is now needed.

“Business executives too, whatever the company size, should heed the wake-up call and consider a review of the resilience of their IT infrastructure, not just against this threat but as an acknowledgement that these kinds of threats are  more present than they may have accepted. Certainly security professionals will be using this as an excuse to knock on senior management's door," he concluded.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews