Botnet Takedown: A Lasting Impact?Researchers Say More International Collaboration Needed
One of the most intricate and sophisticated global cybercrime investigations ever completed led to the multinational takedown of the botnet used to feed the banking Trojan Gameover Zeus as well as servers for CryptoLocker ransomware, cyber-intelligence sources say. But what does the takedown mean for banking institutions in the long run?
See Also: Case Study: The Road to Zero Trust
While the destruction of the GOZ botnet and its network, which was used to fuel CryptoLocker attacks, is a win for law enforcement, security researchers warn the threats posed by these two malware strains could quickly re-emerge (see International Malware Crackdown Revealed). Hackers won't be derailed for long, they warn, and banking institutions and others should act now to ensure their networks and their customers' networks and computers are safe.
"Even in the rare occasion that you arrest the untouchables, there a dozens of hackers in Russia and Brazil who can redeploy similar capabilities," says Tom Kellermann, chief cybersecurity officer at the security firm Trend Micro.
Information sharing played a critical role in this takedown, says Maurits Lucas, who manages the InTELL business unit at cyber-intelligence firm Fox-IT. The ongoing battle against malware will require continued international information sharing among banking institutions and law enforcement, he stresses.
"For too long, banks just looked at what happened locally," Lucas says. "But over the past 12 months, it has become apparent that the most sophisticated attacks tend to not hit the U.S. first. Having visibility of the global threat landscape has been critical to defend proactively."
Working with Vendors
Curt Wilson, a senior analyst within Arbor Networks' security engineering and response team, says law enforcement is increasingly leaning on vendors globally to help take down botnets, and those efforts have resulted in short-term gains.
"There are many strong relationships between security vendors and law enforcement that are bringing benefit," he says. "In some cases, prosecution is a more effective mitigation than simply taking down the botnet infrastructure without pursuing legal sanctions against the criminals involved. A review of large botnet takedowns in the last few years suggests that coordinated actions are becoming increasingly popular and have a larger short-term impact."
Collaboration across borders has been key, Wilson says.
"Information sharing between various parties in the form of private trust groups and ISACs - information sharing analysis centers - is ongoing and provides a rich platform for collaboration," he says. "Organizational leadership needs to understand the value of such collaboration and build participation with these communities into their organizational culture."
Over the long haul, however, banking institutions need to focus more attention on end-user education. Ensuring consumers understand why they need to keep their PCs and other Internet-connected devices protected from malware is the only way to prevent botnets such as GOZ from growing, experts say.
For now, users of devices infected by GOZ and CryptoLocker have to move quickly to ensure they remove the malware and change all passwords, because most of those credentials have been compromised, Lucas stresses.
Law enforcement agencies, Internet service providers and cybersecurity firms in 11 countries - including the U.S., Canada, the United Kingdom and Australia - joined forces to facilitate the lengthy investigation, according to a June 2 announcement from the U.S. Department of Justice.
"This is probably the most intricate and sophisticated investigation we have seen to date," Kellermann says. "It took down the most sophisticated malware in the wild right now."
According to investigators, some 500,000 to 1 million Microsoft Windows-based computers have been infected by GOZ - a Zeus-variant first discovered in 2011 that's designed to steal online banking credentials to perpetrate account takeover fraud.
But Morten Kjaersgaard, CEO of Denmark security firm Heimdal Security, says the number of computers infected by GOZ is likely much higher. "It's probably much more widespread than we actually think," he says.
Kjaersgaard says most GOZ infections are delivered by Necurs, a kernel-level rootkit that hooks into the system, making detection and removal of GOZ much more difficult than other malware.
Law enforcement officials discovered during the investigation that the botnet used to feed GOZ was being used to distribute CryptoLocker as well - a malware that, once installed on a PC, encrypts files and then demands that the infected user pay a blackmail fee to have the files decrypted (see New Ransomware Targets Mobile).
As of April 2014, CryptoLocker had reportedly infected more than 234,000 computers, half of which are located in the United States, federal authorities say.
Estimated global fraud losses linked to GOZ and CryptoLocker range from $100 million to $500 million, according to international authorities and researchers.
Assistant Attorney General Leslie Caldwell noted that despite the international efforts to dismantle the GOZ and CryptoLocker network, these attacks will re-emerge and evolve as the criminals target and infect new victims.
Caldwell says the criminal charges brought against Evgeniy Mikhailovich Bogachev, a Russian citizen who allegedly developed GOZ and then used its botnet to spread CryptoLocker attacks, are a positive step for law enforcement.
"We are asking Russian law enforcement to take action to bring this defendant, and those working with him, to justice, and will work with our counterparts to do so," she says. "It is only by combining traditional law enforcement actions with the type of innovative legal and technical measures announced today that we can begin to fully address modern cyberthreats."
A Look Ahead
But Kellermann doubts that authorities will successfully bring Bogachev to justice. If they do, it will be merely a symbolic action because his hacker crew involved in the schemes will likely remain at large, he says.
Kjaersgaard also says the positive impact of identifying Bogachev will be short-lived.
"I don't think the charges themselves will have any impact of Gameover," he says. "But considering that they have pinpointed an administrator, it might be likely that this will help slow the spread and usage of Gameover, if he is extradited and convicted. The only question is, really, if Russia wants to hand him over."
Experts note that while the investigation in this case took several years, it won't take hackers nearly that long to recover.
If political tensions between Russia and the U.S. escalate, Kellermann says, the Russian hackers could be called upon by their country to wage cyber-attacks against the U.S. infrastructure.
"Just because you get the malware off does not mean you are safe," he says. "After you've freed your machines, you'd better change all of your passwords right away, because anyone who has been in these systems could be back right now deploying a new set of malware."
Wilson also acknowledges that political tensions between the U.S and Russia will hinder long-term progress in thwarting malware trends. "I suspect the impact [of the takedown] will be minimal, considering the strained geopolitical relationship between the USA and Russia at this time," he adds.
Organizations should work now to protect their supply chain and understand the lateral movements hackers often take, Kellermann says (see Target Vendor Acknowledges Breach). "It is essential that we partner with vendors to ensure the entire supply chain is secure," he says.
ISMG's Managing Editor-Europe, Mathew Schwartz, contributed to this article.