Backstage with the Gameover Botnet Hijackers

Venustus

Level 59
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Dec 30, 2012
4,809
When you’re planning to rob the Russian cyber mob, you’d better make sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Today’s column features an interview with two security experts who helped plan and execute last week’s global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from banks, businesses and consumers worldwide.

Gameover infections on June 4, 2014. Source: Shadowserver.org:

goz-prox+peer.png


Neither expert I spoke with wished to be identified for this story, citing a lack of permission from their employers and a desire to remain off the radar of the crooks inconvenienced by the action. For obvious reasons, they were also reluctant to share details about the exact weaknesses that were used to hijack the botnet, focusing instead on the planning and and preparation that went into this effort.

GAMEOVER ZEUS PRIMER
A quick review of how Gameover works should help readers get more out of the interview. In traditional botnets, infected PCs report home to and are controlled by a central server. But this architecture leaves such botnets vulnerable to disruption or takeover if authorities or security experts can gain access to the control server.

Gameover, on the other hand, is a peer-to-peer (P2P) botnet designed as a collection of small networks that are distinct but linked up in a decentralized fashion. The individual Gameover-infected PCs are known as “peers.” Above the peers are a select number of slightly more powerful and important infected systems that are assigned roles as “proxy nodes,” meaning they were selected from the peers to serve as relay points for commands coming from the Gameover botnet operators and as conduits for encrypted data stolen from the infected systems.



The basic network structure of the Gameover botnet. Source: FBI

Article
 

Cats-4_Owners-2

Level 39
Verified
Honorary Member
Top Poster
Well-known
Dec 4, 2013
2,800
Thank you venustus.:) The Science-FACT nature of this article, and 3-way interview actually left me stunned,:oops: ..and I was really feeling hot (temperature wise) before I'd read this. Following their conversation...

"BK: So, from your perspective, how did the Gameover guys use the data-theft component of this botnet, aside from the well-known financial attacks and account takeovers that reportedly netted them more than $100 million?

RP1: This was an information-gathering botnet. Everyone hears Zeus and they automatically think banking Trojan. But they were harvesting more than that.

BK: Have you all seen signs that the guys running this botnet were looking for stuff on infected machines that went beyond financial data?

RP1: I saw some, yes, but I can’t really talk about that. They were definitely looking for proprietary information in some cases."

..it was like stepping out of a scary Science Fiction Film:eek: (I thought of "Signs") although this cyber drama cannot be over yet, and I still feel a bit chilled!:confused: ;):D
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top