This week’s global police assault on the vast P2P Gameover Zeus botnet has left the distribution system for the Cryptolocker ransom malware floundering, according to two Danish security firms that have been monitoring new infections.
Patching firm Heimdal Security and partner CSIS Security Group estimate that by early May 2014, just before the Gameover was disrupted, at least 1.2 million computers were infected by the botnet, with 50,000 systems joining it in an average week. This had now been reduced to the low hundreds or even close to zero.
An unknown number of these were also affected by one of its payloads, the hated CryptoLocker, which appeared to have suffered its first ever reverse last Friday. It’s never been clear how much CryptoLocker has depended on Gameover, although the two are believed to have been developed by the same gang of criminals.
It is now looking as Gameover’s was critical to CryptoLocker’s success, with the detection of new infections effectively dropping to zero, the firms said without being candid about how they calculated this for fear of revealing their monitoring effort to the malware gang.
”At the beginning of May this year, we saw a high rate of new Cryptolocker infections, with as many as 5.000 new infections per day. Later in May, infections even peaked at a very high number of 8.000 infections per day,” said Heimdal Security’s CEO, Morten Kjaersgaard.
“Our intelligence now shows that the number of new infected machines has dropped off significantly and is currently relatively stable around 0 [zero].”
None of this does anything to reduce the large but unknown number of PCs already infected by CryptoLocker, but it does at least suggest that the malware has at last revealed the weakness of its dependency on the Gameover platform.
The firm had seen no drop off in the number of currently infected systems, although the loss of Gameover’s command and control will have disrupted the channel through which ransom payments are collected and – in theory – decryption keys are sent back to victims (note: there is strong anecdotal evidence that the criminals no longer send keys even when paid).
The US represented by some way the largest portion of these infected systems, he said.
”Especially the US, UK and Germany have been hit hard by the Zeus Gameover P2P malware over the last few months, but this joint effort, has really made a big blow against the malware. “
But how on earth did Gameover become so powerful and how was it and its nasty CryptoLocker sideline spiked?
From this week’s dramatic headlines and back-slapping press releases, you could be mistaken for thinking that Gameover Zeus is a relatively new menace that has been stopped in its tracks. Nothing could be further from the truth.
Its effects were first documented by Dell SecureWorks under an early name, ‘Prg Trojan’, as long ago as in June 2007, when the firm’s researchers discovered a sizable cache of keylogged online bank account details and social security numbers. Many of those appeared to be connected to the high-profile breach of the US Monster.com jobs site around the same time.
By the time in 2011 and 2012 it had morphed into what became known as the Zeus banking malware, it was being targeted by Microsoft’s Digital Crimes Unit (DCU) in a controversial operation called Operation b71, a command and control takedown that also involved servers used by SpyEye and Ice-IX variants.
That operation, coincidentally, bears a superficial comparison with what happened last week, which suggests that Gameover will probably reconstitute itself in some form just as it did after b71.
One of the ways it evolved to fight off this kind of takedown was by moving to a P2P design – also used by the Sality, ZeroAccess and Kelihos botnets - in which there are no central C&C servers. This makes it inherently hard to detect, partly because infected nodes distribute communication across a large number of nodes that see only a few of their neighbourss but also because many sit behind firewalls and NAT protection; this latter makes it incredibly difficult to get to grips with the size of the botnet. Many nodes become invisible.
The numerous companies and academic instructions that have helped research and probe for weaknesses in Gameover’s P2P design have been very coy about how they broke into it. Suffice it to say that the basic principle was to trick the botnet into accepting sinkholes that emulated its P2P behaviour, isolating the other nodes as far as possible and then stopping the botnet from activating a fallback channel.
The sources Techworld contacted about these techniques did not want to go into more detail than that - many have been tracking Zeus and the later Gameover in detail for years and weren't best pleased when Microsoft made b71 public by the way. Every takedown risks more precious intelligence leaking out.
But in this area, reticence is normal and well-established. Botnet designers are always looking for ways to harden their creations against skinkholing and the Gameover attack appears to have used the technique with unparalleled success. Nobody wants to make it easy for them.
One possibility for the extra shyness this time could be that the researchers working on Gameover exploited a software vulnerability. Gameover is clever, innovative, successful but it is software after all and that makes it vulnerable.
Find your next job with techworld jobs