[June 04, 2014]By Joseph Menn, Jim Finkle and Aruna Viswanatha
(Reuters) - A U.S.-led international
operation disrupted a crime ring that infected hundreds of thousands of
PCs around the globe with malicious software used for stealing banking
credentials and extorting computer owners, the Justice Department said
on Monday.
Authorities in nearly a dozen countries worked with private
security companies to wrest control of the network of infected
machines, known by the name of its master software, Gameover Zeus.
Court documents released on Monday said that between 500,000 and 1
million machines worldwide were infected with the malicious
software, which was derived from the original "Zeus" trojan for
stealing financial passwords that emerged in 2006. Officials charged
a Russian man with hacking, fraud and money-laundering, and court
documents suggested they suspect he wrote Zeus, one of the most
effective pieces of theft software ever found.
In addition to stealing from the online accounts of businesses and
consumers, the Gameover Zeus crew installed other malicious
programs, including one called Cryptolocker that encrypted files and
demanded payments for their release. Cryptolocker alone infected
more than 234,000 machines and won $27 million in ransom payments in
just its first two months, the Justice Department said.
The two programs together brought the gang more than $100 million,
prosecutors said in court documents, including $198,000 in an
unauthorized wire transfer from an unnamed Pennsylvania materials
company and $750 in ransom from a police department in Massachusetts
that had its investigative files encrypted. Other victims included
PNC Bank [PNCBKN.UL] and Capital One Bank [COFCB.UL], according to
court documents.
“These schemes were highly sophisticated and immensely lucrative,
and the cyber criminals did not make them easy to reach or disrupt,”
Leslie Caldwell, who heads the Justice Department's criminal
division, told a news conference.
The Gameover Zeus "botnet" - short for robot network - is the
largest so far disrupted that relied on a peer-to-peer distribution
method, where thousands of computers could reinfect and update each
other, said Dell expert Brett Stone-Gross, who assisted the FBI.
"We took control of the bots, so they would only talk with our
infrastructure," Stone-Gross said.
A civil suit in Pennsylvania helped authorities get court orders to
seize parts of the infected network, and on May 7, Ukrainian
authorities seized and copied Gameover Zeus command servers in Kiev
and Donetsk, officials said. U.S. and other agents worked from early
Friday through the weekend to seize servers around the world,
freeing some 300,000 victim computers from the botnet so far.
ACCUSED MASTERMIND IN RUSSIA
A criminal complaint unsealed Monday in Nebraska, meanwhile, accused
Russian Evgeniy Mikhaylovich Bogachev and others of participating in
the conspiracy.
U.S. officials said Bogachev was last known to be living in the
Black Sea resort town of Anapa. In an FBI affidavit filed in the
Nebraska case, an agent cited online chats in which aliases
associated with Bogachev claimed authorship of the original Zeus
trojan, which has infected more than 13 million computers and is
blamed for hundreds of millions of dollars in losses.
"That's what he claimed. There were probably a number of people
involved," said Dmitri Alperovitch, co-founder of security firm
CrowdStrike, which also worked with the FBI. A person familiar with
the case said that Bogachev's ICQ number, which is an assigned
Internet chat query identifier, matched that of the known Zeus
author. Attempts to reach Bogachev were unsuccessful. The FBI
declined to comment on Zeus' authorship, citing the ongoing
investigation, and Justice Department officials did not respond to
questions on the issue.
Zeus's code has since been publicly released, and many variants are
still being used by gangs large and small.
"Zeus is probably the
most prolific and effective piece of malware discovered since 2006,"
said Lance James, head of cyber-intelligence at consultancy Deloitte
& Touche, which also helped authorities.
Russia does not extradite accused criminals to other countries, so
Bogachev may never be arrested. He was named as part of a new policy
on aggressively exposing even those the United States has little
hope of catching. The recent crackdown includes the indictment of
five members of China's People's Liberation Army for alleged
economic espionage, which prompted denials and an angry response
from Chinese authorities.
“This is the new normal,” Robert Anderson, the top FBI official in
charge of combating cyber crime said at a news conference announcing
the Russian action.
When asked whether Russian authorities would turn Bogachev over to
the United States, Deputy Attorney General James Cole said “as far
as Russia, we are in contact with them and we’ve been having
discussions with them about moving forward and about trying to get
custody of Mr. Bogachev,” but declined to provide further detail of
those talks. The shutdown of Gameover Zeus may not last. Other
botnets have resurfaced as criminals regained at least partial
control of their networks. Officials at the United Kingdom's
National Crime Agency said in an "urgent warning" that users might
have only two weeks to clean their computers from traces of the
infection. They directed users to https://www.getsafeonline.org/nca,
which was intermittently available late Monday.
The U.S. Department of Homeland Security set up a website to help
victims remove the malware, https://www.us-cert.gov/gameoverzeus.
The European Cybercrime Centre also participated in the operation,
along with Australia, Canada, France, Germany, Italy, Japan,
Luxembourg, New Zealand and Ukraine.
Intel Corp, Microsoft Corp, security software companies F-Secure,
Symantec Corp, and Trend Micro; and Carnegie Mellon University
supported the operation.
(Reporting by Joseph Menn in San Francisco, Jim Finkle in Boston and
Aruna Viswanatha in Washington; Additional reporting by Julie
Edwards and Alina Selyukh in Washington; Editing by Jonathan Oatis,
Ken Wills and Lisa Shumaker)