Think Information. Think Security.
 
Picture
The Gameover Zeus botnet is now the biggest financial fraud botnet around, and it's run by a single cybercrime group out of Eastern Europe, according to new research. Brett Stone-Gross, senior security researcher with Dell Secureworks, has been closely monitoring the botnet since late April, with his team "crawling" the peer-to-peer botnet to determine its size and scope, and counted some 678,205 infected bots. He published his overall findings on the inner workings of the botnet last week during Black Hat USA. 

"There's one group behind it and it's the largest financial botnet out there", Stone-Gross says. They key to its success is it has a "huge number" of servers that it has compromised, and it rents out the Cutwail spam botnet to deliver its initial payload via phishing emails impersonating legitimate companies, including cellular phone companies, retailers, social networking sites, and financial institutions. They take a legitimate email and replace a link inside it that sends the victim to one of their compromised websites and the victims who fall for the email ruses -- invoices, order confirmations, or warnings about unpaid bills -- become part of the peer-to-peer Zeus-based Gameover botnet.

Stone-Gross and his team found some 1.5 million unique IP addresses infected with Gameover, with the U.S. (150,204 bots), Germany (48.853 bots), and Italy (34,361 bots) suffering the most infections. Infections have hit not only the Fortune 500, but also universities, hospitals, financial institutions, defense contractors, government agencies, and law enforcement. Recent data from LookingGlass Cyber Solutions said that 18 of the 24 largest banks around the world suffer from infamous malware, including Gameover Zeus, DNS Changer, BlackHole Exploit Kit, and fake antivirus.

Dell Secureworks' Stone-Gross says Gameover is all about stealing victims' online credentials and other personal information. Once they are infected and visit their online retailer, for example, it prompts them for information, such as Social Security number, mother's maiden name, credit-card number, date of birth and they also track their success of infection, such as which exploits worked. It  also employs the DirtJumper tool to DDoS financial institutions while it steals their customers' funds. It uses a downloader called Pony Loader that downloads the peer-to-peer communication of Zeus, and steals HTTP, FTP, and email credentials.

"What's interesting about Gameover is that it's a P2P network, and the robustness of the network itself. Each malware sample includes a hard-coded peers list, and the bot tries to reach out to them and request information, configuration files, version information, and binary updates," Stone-Gross says. The architecture has its own failover mechanism, he says.

Cross-posted from: Dark Reading
10/12/2013 05:43:52 pm

Plunge boldly into the thick of life, and seize it where you will, it is always interesting.

Reply



Leave a Reply.