Operation Tovar targets major Zeus/Cryptolocker botnet-driven campaign

News by Steve Gold

"The doomsday scenario may be a mass Cryptolocker ransomware attack for one final payday," says Context IS director of assurance Rob Sloan.

Depending on which regular TV news channel you tuned into last night, you might have thought that an IT security armageddon had arrived, with experts from the National Crime Agency (NCA) making dire warnings that the world's computer users have two weeks to secure their machines before a new generation of malware wreaks havoc. 

Distilling the Gameover Zeus/Cryptolocker source down to its basic threat vectors, however, reveals a gang of Russian cybercriminals - led by 30-year-old Evgeniy Bogachev - that have developed a multi-layered approach to fraud that centres on infecting a victim's computer and harvesting the resultant data, whether stored on the machine's drive or extracted via a keylogger. 

The good news is that the US Department of Justice - working the FBI, Europol and the NCA in the UK - have managed to cut off the servers that control the botnet operated by Bogachev's gang. The bad news is that experts are predicting the botnets will be re-parented by the gang within the next two weeks, and then the botnet-driven fraud bandwagon will continue. 

By using two distinct pieces of malware - Gameover Zeus and Cryptolocker - the criminals appear to be working on the basis that at least one of their infections will get through, after which data exfiltration will take place. 

The DoJ in the US says that the botnet-driven scheme has netted Bogachev's gang - which it claims spans the UK, Russia and the Ukraine - and 100s of millions of dollars. The NCA, meanwhile, claims the frauds have cost several UK businesses several hundreds of pounds each in data ransoms and lost money.

Bogachev - who is described as one of the most prolific cyber criminals in the world - has been named in a 14-count indictment, and US authorities are in contact with their colleagues in Russia to try and arrest him.

The DoJ, for its part, says that victims of the gang include an American Indian tribe in Washington state, a major US insurance company and a local police department in Massachusetts, amongst many others. 

According to security researcher Brian Krebs, the take-down of the botnet driving Gameover Zeus started late last week, and also involved private sector IT firms including CrowdStrike, Dell SecureWorks, Symantec, Trend Micro and McAfee; as well as academic researchers at VU University Amsterdam and Saarland University in Germany.

"It will be interesting to hear how the authorities and security researchers involved in this effort managed to gain control over the Gameover botnet, which uses an advanced peer-to-peer mechanism to control and update the bot-infected systems," he says in his analysis of Operation Tovar, noting that the Zeus malware variant uses a tiered, encrypted and decentralised system of intermediary proxies to hide the location of servers.

So what about the 14-day countdown?

Like many IT security professionals, SCMagazineUK.com was intrigued to hear the UK's NCA talking about a 14-day `breathing space' before the botnet-driven Gameover Zeus and Cryptolocker campaigns were likely to restart.

According to Fred Touchette, a senior security analyst with AppRiver, the two-week window aspect of Operation Tovar has not really been explained by the investigating authorities. 

“It's rather curious to me why the NCA is reporting this to have to happen within a two week period. I would expect this much press to start to spook the group behind the botnet," he said. 

"It is possible that, perhaps they have figured out the current encryption scheme and have only two weeks before the encryption or the keys involved change, but once again this is rather sensitive information for the press to leak out if this is actually the case, as the bad guys could simply just go ahead and change the algorithm right now if they thought they needed to," he added.

Touchette went on to say they he has noticed that several reports on the 14-day subject have been taken down, most likely for providing too much information. 

Over at Context IS, Rob Sloan, the analysis house's director of assurance, said that the main issue with Operation Tovar will be ensuring the owners of infected computers take action to protect themselves. 

"The majority of affected users likely have very little or no security awareness - if they did they wouldn't be infected. Basic security steps such as patching software, running up-to-date anti-virus and being cautious about opening email attachments and clicking on links would have mitigated this attack," he said.

"The doomsday scenario is that the attackers, concerned that their operation is compromised, will launch a mass Cryptolocker ransomware attack for one final payday, leaving tens or hundreds of thousands of users with encrypted files and a low likelihood of ever recovering them," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews