Global police forces have collaborated to temporarily disrupt the world’s most successful botnet, Gameover Zeus (aka P2PZeus or GoZeus), giving hundreds of thousands of victims a brief window in which they can more easily extricate themselves from its clutches.
Operation Tovar, jointly run by the FBI, the UK National Crime Agency (NCA), Europol and a number of security firms and universities was accidentally revealed at the weekend by a hasty and later removed post on McAfee’s website.
That described how the police have managed to disrupt the command and control (C&C) infrastructure for the East European-run Gameover Zeus system, also used to distribute the hated CryptoLocker ransom malware that has caused such grief around the world since last September.
Gameover’s main business remains stealing data from computer users, usually bank logins, but it best thought of as a sprawling, complex and often highly innovative malware creation and distribution platform. That police would make it public enemy number one is no surprise.
“We anticipate the criminal infrastructure of both Gameover Zeus and CryptoLocker will re-establish operations as quickly as they can. Thus you need to take action quickly,” said McAfee’s accidental announcement.
Both McAfee’s release and a similar official announcement by the UK NCA have urged anyone who believes they are infected with Gameover Zeus, or who is told as much by their ISP, to rid themselves of it while the link with the C&C is broken. That makes it harder for the malware to reinstate itself as the user is trying to remove it.
McAfee was offering its Stinger anti-malware tool to aid with this onerous task, it said.
Estimates on the number affected by Gameover Zeus vary but the NCA said 15,500 had been identified in the UK on the basis of analysis of its C&C data. Other estimates put the number of infected systems at around 500,000-600,000, possibly more.
“Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them,” said NCA National Cyber Crime Unit deputy director, Andy Archibald.
“Whether you find online security complicated or confusing, or simply haven’t thought about keeping your personal or office computers safe for a while, now is the time to take action,” he urged.
Of course, the amount of respite users have been given could be less than two weeks or a bit more than that; the exact time period will depend on how quickly the criminals take to reinstate their C&C. The fact that the FBI and NCA are willing to put a two-week prediction on Operation Tovar suggests that the disruption they have wrought to the botnet is severe.
Botnet takedowns are nothing new, although past ones usually had a severe effect on their targets. Gameover Zeus is on a different level to most of these past events.
One thing the disruption will do is temporarily make it impossible for victims of CryptoLocker to pay ransoms to receive an unlock encryption key to get back their files. Given that the criminals behind CryptoLocker rarely if ever supply keys these days, that is no loss. However, Tovar won’t help current victims to reinstate their files, only briefly stop new victims from being infected.