Gameover ZeuS

Last updated
GameOver ZeuS
GameOverZeus FBI graphic (cropped).png
FBI-produced diagram overviewing GOZ
Family Zeus
Classification Trojan
Infection vector Email spam
Author(s)Evgeniy Bogachev

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

Contents

The original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim's computer. The infected computer was then integrated into a botnet, considered to be one of the most sophisticated and secure botnets in the world at the time. The GOZ botnet was particularly notable for its decentralized, peer-to-peer infrastructure, which combined with other security measures such as rootkits made shutting down the botnet extremely difficult. The botnet's activities were additionally directed by an organized crime group headed by Bogachev and referring to itself as the "business club", which was primarily based in Russia and Eastern Europe. The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks, used as both retaliation and as a form of distraction during thefts.

In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar. Bogachev was indicted shortly after and a reward of $3 million was issued for information leading to his arrest, at the time the highest reward for a cybercriminal in history. Less than two months after Operation Tovar was executed, a new strain of GameOver ZeuS was discovered. Named "newGOZ", it lacked peer-to-peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ. The involvement of the original GameOver ZeuS administrators in newGOZ's activity since its creation is disputed.

Technical details

Botnet structure

Machines infected with GOZ were integrated into a botnet, a system of several devices that could be controlled remotely through the malware. At the peak of GOZ activity from 2012 to 2013, the botnet comprised between 500,000 and one million compromised computers. [1] Botnet-building capabilities were common to all ZeuS variants; however, while previous iterations of the malware created centralized botnets, wherein all infected devices were connected directly to a command-and-control (C2) server, GameOver ZeuS utilized a decentralized, peer-to-peer infrastructure. [2]

The botnet was organized into three layers. The lowest layer was made up of the infected machines, some of which were manually designated "proxy bots" by the criminal group. Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of dedicated servers owned by the group. The second layer served to create distance between the infected machines and the highest layer, from which commands were issued and to which data from the infected machines was sent. [3] This infrastructure made tracing the botnet's C2 servers more difficult, as the botnet herders were only ever directly communicating with a small subset of infected computers at a time. [4] Although the botnet as a whole was structured like this, the network was partitioned into several "sub-botnets", each run by a different botmaster. [5] Up to 27 of these sub-botnets existed, but not all were actively used, with some existing for debugging purposes. [6]

Security

GOZ contained several security features designed to prevent full analysis of the botnet — particularly by restricting the activities of crawlers and sensors [lower-alpha 1] — as well as to prevent shutdown attempts. The effectiveness of these mechanisms have led GameOver ZeuS to be considered a sophisticated botnet, [9] with US Deputy Attorney General James M. Cole calling it “the most sophisticated and damaging botnet we have ever encountered”. [10] Cybersecurity researcher Brett Stone-Gross, who was brought on by the Federal Bureau of Investigation to analyze GameOver ZeuS, similarly acknowledged that the botnet was well-secured against the efforts of law enforcement and security experts. [11]

Crawlers were inhibited via various means. Each bot had fifty peers; [12] however, a bot that was requested to provide a list of its peers would only return ten. [13] Additionally, requesting peer lists was rate-limited such that rapid requests from an IP address would result in that address being flagged as a crawler and automatic blacklisting, [14] halting all communications between the flagged IP and the flagging bot. Each bot also had a pre-existing list of blacklisted addresses known to be controlled by security organizations. [15]

Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address. The effect of this was to prevent individuals or groups with one IP address from carrying out sinkholing attacks on the botnet. [lower-alpha 2] [17] GOZ's botmasters were known to have carried out DDoS attacks in response to sinkholing attempts. [18]

In the event a GOZ bot was unable to contact any peers, it would use a domain generation algorithm (DGA) to re-establish contact with the C2 servers and obtain a new list of peers. [19] The DGA generated one thousand domains every week and each bot would attempt to contact every domain; this meant that if the botnet's current C2 servers were in danger of being shut down, the botmasters could set up a new server using a domain in the generated list and re-establish control over the network. [4]

A special "debug build" of the malware existed that provided detailed logs regarding the network. The debug build existed to garner insight into security researchers' activities against the botnet and develop appropriate responses. [20] The malware itself was also difficult to remove, owing to a rootkit contained in it. [21] The rootkit, Necurs, was taken from a different piece of malware. [22]

Interface

The interface controlling the botnet could be used to read data logged by the bots and execute commands, including custom scripts. [23] A special token grabber panel existed for man-in-the-browser attacks used to obtain bank login credentials; logging into a bank account usually involves authentication measures in addition to a username and password, such as a one-time-code or security question. The panel existed so that the criminals could quickly and easily request solutions to these measures from the victim. [24] The token grabber panel was titled "World Bank Center", with the slogan "we are playing with your banks". [25] Another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select a "destination account" that money would be indirectly sent to. [26] Botnet managers did not need to use the token grabber panel, as they were allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers. [20]

Activity

GOZ was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies. The emails would contain a link to a compromised website from which the malware was downloaded. These spam emails were sent via a different botnet, Cutwail, that was frequently rented out by cybercriminals to send spam. [27]

From 2011 to 2014, all GameOver ZeuS activity was managed by a single crime syndicate. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out the botnet were known to exist. [28]

Management

The creator and main developer of GameOver ZeuS was Evgeniy "slavik" Bogachev, [lower-alpha 3] the creator of the original Zeus Trojan and the immediate predecessor to GOZ, Jabber Zeus. [25] [29]

Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of the business club, [28] mostly Russians and Ukrainians. [30] The network also employed technical support staff for the malware. [6] The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar. [25] Business club members did not exclusively use GOZ and were often members of other malware networks. [31]

In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in the US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work. [32] Money mules were not aware that they were handling stolen funds or working for a criminal syndicate. [33]

Bank theft

GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via keystroke logging. [34] However, the malware was capable of using browser hijacking to bypass two-factor authentication. By presenting the victim with a false version of their bank's login page, a criminal could request whatever code or information was needed to log into the victim's account. Once the victim "logged in" to the false page with this information, they would receive a "please wait" or error screen while the credentials were sent to the criminals. With this information, the malware operators could access the bank account and steal money, [24] usually hundreds of thousands or millions of dollars. [28] In one instance, $6.9 million was stolen from a single victim. [35] In 2013, GOZ accounted for 38% of thefts pursued in this manner. [36] Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to create a diversion. [27] Stolen money was routed through a large network of money mules before it made it to the criminals, hiding its origin and destination from authorities. [32] By June 2014 it was estimated that between $70 million and $100 million had been stolen via GOZ. [37] [38]

The siphoning of money followed the day-night line, beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team was west of them when their shift ended. [25] The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the Russia-China border. [39]

CryptoLocker

In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key. [32] Josephine Wolff, assistant professor of cybersecurity policy at Tufts University, [40] has speculated that the motivation behind pivoting to ransomware was for two reasons: firstly to set up a more secure means of making money off of GOZ, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules, [32] whose loyalties were in question since they did not know they were working for criminals; and secondly to take advantage of the criminals' access to data on infected computers that was significant to victims but was of no value to criminals, such as photographs and emails. [41] Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from. [28]

About 200,000 computers were attacked by Cryptolocker beginning in 2013. [35] The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen. [42] However, Michael Sandee has given a much lower estimate of $3 million for the entire duration of CryptoLocker's activity. [43] Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks. [44]

Espionage

Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine, [45] and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government. [46] The botnet in Ukraine only began to conduct such searches after the country's pro-Russian government collapsed amidst a revolution in 2014. [47] OPEC member states were also targeted. [30] Searches were tailored to the targeted country: searches in Georgia sought information on specific government officials, searches in Turkey looked for information regarding Syria, searches in Ukraine used generic keywords such as "federal security service" and "security agent", [48] and searches in the US looked for documents containing phrases such as "top secret" and "Department of Defense". [46] Botnets used for espionage were run separately from those used for financial crime.

It is unclear who was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Michael Sandee, another participant in the takedown operation, has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep the espionage secret. [48] Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended, [49] despite living openly and under his own name in Russia. [46]

History

Origins and name

GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1, also known as Jabber Zeus. [50] Jabber Zeus was run by an organized crime syndicate, of which Bogachev was a key member, that had largely dissolved in 2010 due to police action. [28] In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus. [51] In May 2011, the source code for Zeus was leaked, resulting in a proliferation of variants. [27] [52] Graff has suggested the possibility that Bogachev himself was responsible for the leak. [28]

The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel. [53] Other names have included peer-to-peer ZeuS, ZeuS3, [54] and GoZeus. [55]

Shutdown of the botnet

The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed "Operation Tovar". [56] Three previous attempts between 2012 and January 2013 to take down the botnet were unsuccessful, [28] including one attempt in March 2012 by Microsoft to use legal action to have GOZ-controlled servers and domains seized, which failed due to the peer-to-peer architecture of GameOver ZeuS. [27] Planning for Operation Tovar began in 2012, with the Federal Bureau of Investigation beginning to work together with private cybersecurity firms to combat GOZ. [57] By 2014, [28] authorities in the United Kingdom had also provided the FBI with information regarding a GOZ-controlled server in the UK containing records of fraudulent transactions. The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ's botnet infrastructure. Bogachev was identified as the head of the GameOver ZeuS network by cross-referencing the IP address used to access his email with the IP used to administer the botnet; [58] although he had used a VPN, Bogachev had used the same one for both tasks. [59] The Operation Tovar team also reverse-engineered the malware's DGA, allowing them to preempt any attempts to restore the botnet and redirect such attempts to government-controlled servers. GOZ's C2 servers in Canada, Ukraine, and Kazakhstan were seized by authorities, [60] with Ukraine being the first to do so on May 7, 2014. [35] With preparations finished, Operation Tovar began on May 30. The operation was a sinkholing attack that cut off communication between the bots and their command servers, redirecting the communication towards the aforementioned government-controlled servers. [57] The technical details of the operation largely remain classified. [60]

On June 2, the Department of Justice announced the outcome of Operation Tovar. An indictment against Bogachev was also unsealed that same day. [61] However, authorities also warned that the botnet would likely return within two weeks. [62] On July 11, the DOJ stated that as a result of the operation, GOZ infections were down 32 percent. [44] On February 24, 2015, the Justice Department announced a reward of $3 million for information leading to Bogachev's arrest, [63] at the time the largest-ever reward for a cybercriminal. [1] [lower-alpha 4]

Re-emergence as "newGOZ"

Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails. Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux, a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies. [66] The origin of and motives for creating the new variant, dubbed "newGOZ", were unclear; Michael Sandee believed newGOZ to be a "trick" to give away the malware's source code and create a distraction for Bogachev to disappear into. [52] However, Malcovery's initial report claimed that the new Trojan represented an earnest attempt to revive the botnet. [67] The original GameOver ZeuS and newGOZ botnets were separate entities; the list of domains generated by their respective DGAs were different, despite the algorithms being similar, and the original GOZ botnet was described by Malcovery as still "locked down". [68]

The new malware was divided into two variants. The variants differed in two areas: the number of domains generated by the DGA, with one generating 1,000 domains per day and the other generating 10,000; and the geographic distribution of infections – the former variant primarily infected systems in the US, and the latter targeted computers in Ukraine and Belarus. [69] On July 25, 2014, it was estimated that 8,494 machines had been infected by newGOZ. [70] Other GOZ variants, including "Zeus-in-the-Middle", which targets mobile phones, have been reported as well. [71] As of 2017, variants of Zeus constitute 28% of all banking malware. [72] However, Sandee has claimed that much of Zeus's market share is being taken away by newer malware. [52]

See also

Similar Russian and Eastern European cybercrime groups:

Similar botnets:

Notes and references

Notes

  1. In the context of P2P botnet monitoring, a crawler is a program that, using the botnet's communication protocol, requests a given bot's peers, then requests a list of peers from each bot in the original bot's list of peers, and so on until the whole botnet is mapped. [7] A sensor infiltrates the peer list of several bots and logs attempts to contact it from the bots in the network. [8]
  2. Sinkholing is a technique used to take down botnets in which a special sensor is deployed within the botnet. The sensor, also known as a sinkhole, cuts off contact between bots and their controllers. [16]
  3. Also known as "lucky12345" and "Pollingsoon".
  4. This has since been exceeded by the reward of $5 million issued on December 5, 2019, for information leading to Evil Corp head Maksim Yakubets's arrest. [64] Yakubets had previously worked with Bogachev as part of the Jabber Zeus crew. [65]

Related Research Articles

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

<span class="mw-page-title-main">Computer Crime and Intellectual Property Section</span> United States federal law enforcement agency

The Computer Crime and Intellectual Property Section (CCIPS) is a section of the Criminal Division of the U.S. Department of Justice in charge of investigating computer crime and intellectual property crime. They are additionally responsible for prosecuting privacy invasions by criminals such as hackers, cyberstalkers, and purveyors of mobile spyware, and specializing in the search and seizure of digital evidence in computers and on networks.

Clampi is a strain of computer malware which infects Windows computers. More specifically, as a man-in-the-browser banking trojan designed to transmit financial and personal information from a compromised computer to a third party for potential financial gain as well as report on computer configuration, communicate with a central server, and act as downloader for other malware. Clampi was first observed in 2007 affecting computers running the Microsoft Windows operating system.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Rustock botnet was a botnet that operated from around 2006 until March 2011.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.

The Mevade Botnet, also known as Sefnit or SBC, is a massive botnet. Its operators are unknown and its motives seems to be multi-purpose.

Operation Tovar is an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which is believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

SpyEye is a malware program that attacks users running Google Chrome, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account

Citadel is a piece of massively-distributed malware based upon Zeus. It targets credentials stored in password managers such as Keepass, Password Safe and neXus Personal Security Client.

The Necurs botnet is a distributor of many pieces of malware, most notably Locky.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

Jabber Zeus was a cybercriminal syndicate and associated Trojan horse created and run by hackers and money launderers based in Russia, the United Kingdom, and Ukraine. It was the second main iteration of the Zeus malware and racketeering enterprise, succeeding Zeus and preceding Gameover Zeus.

References

  1. 1 2 Wolff 2018, p. 59.
  2. Etaher, Weir & Alazab 2015, p. 1386.
  3. Andriesse et al. 2013, p. 117.
  4. 1 2 Wolff 2018, p. 61.
  5. Andriesse et al. 2013, p. 116.
  6. 1 2 Sandee 2015, p. 6.
  7. Karuppayah 2018, p. 4.
  8. Karuppayah 2018, p. 15.
  9. Karuppayah 2018, p. 44.
  10. Silver, Joe (June 2, 2014). "Governments disrupt botnet "Gameover ZeuS" and ransomware "Cryptolocker"". Ars Technica . Archived from the original on June 5, 2023. Retrieved July 21, 2023.
  11. Stahl, Lesley (April 21, 2019). "The growing partnership between Russia's government and cybercriminals". CBS . Archived from the original on January 18, 2023. Retrieved May 7, 2023.
  12. Karuppayah 2018, p. 40.
  13. Karuppayah 2018, p. 20.
  14. Karuppayah 2018, pp. 22–23.
  15. Karuppayah 2018, p. 31.
  16. Karuppayah 2018, p. 79.
  17. Karuppayah 2018, p. 21.
  18. Karuppayah 2018, p. 23.
  19. Andriesse et al. 2013, p. 118.
  20. 1 2 Sandee 2015, p. 7.
  21. Etaher, Weir & Alazab 2015, p. 1387.
  22. Zorabedian, John (March 4, 2014). "SophosLabs: Gameover banking malware now has a rootkit for better concealment". Sophos News. Archived from the original on May 29, 2023. Retrieved July 20, 2023.
  23. Sandee 2015, p. 15.
  24. 1 2 Sandee 2015, pp. 16–17.
  25. 1 2 3 4 Krebs, Brian (August 5, 2014). "Inside the $100M 'Business Club' Crime Gang". Krebs on Security. Archived from the original on May 27, 2023. Retrieved July 8, 2023.
  26. Sandee 2015, p. 17.
  27. 1 2 3 4 Stone-Gross, Brett (July 23, 2012). "The Lifecycle of Peer to Peer (Gameover) ZeuS". Secureworks . Archived from the original on May 28, 2023. Retrieved July 16, 2023.
  28. 1 2 3 4 5 6 7 8 Graff, Garrett M. (March 21, 2017). "Inside the Hunt for Russia's Most Notorious Hacker". WIRED . Archived from the original on April 23, 2023. Retrieved July 8, 2023.
  29. Krebs, Brian (February 25, 2015). "FBI: $3M Bounty for ZeuS Trojan Author". Krebs on Security. Archived from the original on April 7, 2023. Retrieved May 5, 2023.
  30. 1 2 Korolov, Maria (August 7, 2015). "GameOver ZeuS criminals spied on Turkey, Georgia, Ukraine and OPEC". CSO Online. Archived from the original on July 16, 2023. Retrieved July 16, 2023.
  31. Sandee 2015, p. 9.
  32. 1 2 3 4 Wolff 2018, p. 63.
  33. Wolff 2018, p. 65.
  34. Wolff 2018, p. 62.
  35. 1 2 3 Perez, Evan (June 3, 2014). "U.S. takes out computer malware that stole millions". CNN . Archived from the original on June 3, 2023. Retrieved July 21, 2023.
  36. Etaher, Weir & Alazab 2015, p. 1388.
  37. Gross, Garrett (March 2016). "Detecting and destroying botnets". Network Security. 2016 (3): 8. doi:10.1016/S1353-4858(16)30027-7. ISSN   1353-4858. OCLC   6017168570. S2CID   29356524.
  38. Musil, Steven (June 2, 2014). "US disrupts $100M GameOver Zeus malware cybercrime ring". CNET . Archived from the original on July 16, 2023. Retrieved July 16, 2023.
  39. Sandee 2015, pp. 18–20.
  40. Wolff, Josephine (January 27, 2019). "Two-Factor Authentication Might Not Keep You Safe". The New York Times . Archived from the original on June 27, 2023. Retrieved July 23, 2023.
  41. Wolff 2018, pp. 69–70.
  42. Wolff 2018, p. 64.
  43. Sandee 2015, p. 3.
  44. 1 2 Wolff 2018, p. 68.
  45. Sandee 2015, p. 21.
  46. 1 2 3 Schwirtz, Michael; Goldstein, Joseph (March 12, 2017). "Russian Espionage Piggybacks on a Cybercriminal's Hacking". The New York Times . Archived from the original on May 25, 2023. Retrieved July 17, 2023.
  47. Stevenson, Alastair (August 6, 2015). "The Russian government may be protecting the creator of the world's most infamous malware". Business Insider . Archived from the original on April 23, 2023. Retrieved July 16, 2023.
  48. 1 2 Brewster, Thomas (August 5, 2015). "FBI 'Most Wanted' Cybercrime Kingpin Linked To Russian Espionage On US Government". Forbes . Archived from the original on May 8, 2023. Retrieved July 16, 2023.
  49. Sandee 2015, p. 23.
  50. Peterson, Sandee & Werner 2015, 8:00–8:33.
  51. Bartz, Diane (October 29, 2010). "Analysis: Top hacker "retires"; experts brace for his return". Reuters . Archived from the original on December 10, 2022. Retrieved July 23, 2023.
  52. 1 2 3 Sandee 2015, p. 5.
  53. Peterson, Sandee & Werner 2015, 7:18–7:27.
  54. Sandee 2015, p. 2.
  55. Hay, Andrew (March 5, 2020). "Gameover ZeuS Switches From P2P to DGA". Cisco Umbrella. Archived from the original on May 30, 2023. Retrieved July 8, 2023.
  56. Krebs, Brian (June 2, 2014). "'Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge". Krebs on Security. Archived from the original on June 4, 2023. Retrieved July 21, 2023.
  57. 1 2 Franceschi-Bicchierai, Lorenzo (August 12, 2015). "How the FBI Took Down the Botnet Designed to Be 'Impossible' to Take Down". VICE . Archived from the original on June 22, 2022. Retrieved July 21, 2023.
  58. Wolff 2018, pp. 64–66.
  59. Peterson, Sandee & Werner 2015, 41:06–41:31.
  60. 1 2 Wolff 2018, p. 67.
  61. Trautman, Lawrence J.; Ormerod, Peter C. (Winter 2019). "Wannacry, Ransomware, and the Emerging Threat to Corporations" (PDF). Tennessee Law Review. 86 (2): 512. doi:10.2139/ssrn.3238293. ISSN   0040-3288. OCLC   1304267714. S2CID   169254390. SSRN   3238293. – via ResearchGate
  62. Dignan, Larry (June 2, 2014). "GameOver Zeus botnet seized; Two week window to protect yourself, say authorities". ZDNET . Archived from the original on July 2, 2023. Retrieved July 23, 2023.
  63. Kravets, David (February 24, 2015). "US offers $3 million reward for capture of GameOver ZeuS botnet admin". Ars Technica . Archived from the original on April 16, 2023. Retrieved July 21, 2023.
  64. Dobrynin, Sergei; Krutov, Mark (December 11, 2019). "In Lavish Wedding Photos, Clues To An Alleged Russian Cyberthief's FSB Family Ties". Radio Free Europe . Archived from the original on July 22, 2023. Retrieved July 23, 2023.
  65. Krebs, Brian (November 15, 2022). "Top Zeus Botnet Suspect "Tank" Arrested in Geneva". Krebs on Security. Archived from the original on April 10, 2023. Retrieved May 7, 2023.
  66. Krebs, Brian (July 10, 2014). "Crooks Seek Revival of 'Gameover Zeus' Botnet". Krebs on Security. Archived from the original on February 1, 2023. Retrieved July 7, 2023.
  67. Brewster, Tom (July 11, 2014). "Gameover Zeus returns: thieving malware rises a month after police action". The Guardian . Archived from the original on January 24, 2023. Retrieved July 7, 2023.
  68. Constantin, Lucian (July 11, 2014). "The Gameover Trojan program is back, with some modifications". CSO Online. Archived from the original on July 7, 2023. Retrieved July 7, 2023.
  69. Cosovan, Doina (August 6, 2014). "Gameover Zeus Variants Targeting Ukraine, US". Bitdefender Blog. Archived from the original on May 16, 2022. Retrieved July 8, 2023.
  70. Constantin, Lucian (August 14, 2014). "New Gameover Zeus botnet keeps growing, especially in the US". CSO Online. Archived from the original on July 8, 2023. Retrieved July 8, 2023.
  71. Asher-Dotan, Lital (July 1, 2015). "The FBI vs. GameOver Zeus: Why The DGA-Based Botnet Wins". Malicious Life by Cybereason. Archived from the original on March 7, 2022. Retrieved July 23, 2023.
  72. Gezer, Ali; Warner, Gary; Wilson, Clifford; Shrestha, Prakash (July 2019). "A flow-based approach for Trickbot banking trojan detection". Computers & Security. 84: 180. doi:10.1016/j.cose.2019.03.013. ISSN   0167-4048. OCLC   8027301558. S2CID   88494516.

General sources