GameOver ZeuS: Cat-and-mouse in the buccaneering cyber-century

The ramshackle, territorial setup of the Caribbean in the 17th century spurred buccaneers to exploit little-protected Spanish merchant cogs. The Spanish sought to counter the frequent attacks by the partially state-licensed freebooters and ended up creating a 100-year long cat-and-mouse game. Roughly 400 years later, the criminals shifted the cat-and-mouse game to cyberspace, developed new tactics and weapons (such as botnets, ransomware and distributed denial of service attacks) and now pose a serious threat to private and public actors on the Internet. Describing the problems of cyber-buccaneering, this article uses the example of the famous, Russia-backed GameOver ZeuS botnet (GOZ) to explain the concept of a botnet and the GameOver ZeuS specific attack vector before elaborating on the cat-and-mouse game of successful takedowns and ineffective cybercrime persecution.

GameOver ZeuS was a ZeuS-based botnet that infected more than 1 million machines between approx. 2010 and 2014, relied on substantial security features such as P2P and DGA, and caused hundreds of millions of dollars in damage (FBI, 2014). With traces to Russia and Ukraine, the GOZ botnet served mainly moneymaking purposes, including financial data harvesting, spam mailings and, most notably, the distribution of the CryptoLocker ransomware that extorted millions of dollars for decrypting previously encrypted non-public files (Krebs, 2014a; Storm, 2014). Attackers used the GOZ botnet also in more sophisticated use cases and in combination of cyber and non-cyber elements: After an online theft, for example via the false bank transfers or the “money mule” method where jewellery or watches are being picked up before the fraudulent bank transfer is being reversed (Krebs, 2010, 2011), the GOZ botnet launched DDoS attacks to take affected servers offline, disguise the just-finished attack and prevent restoration of affected data (Krebs, 2013).

Typical for a botnet, GOZ maintained a cluster of Internet-connected devices (slaves) that are programmed to execute operations by a command & control server (C2 server, master) (Puri, 2003). After infecting a machine with a derivative of the ZeuS Trojan by mimicking emails from renown companies, a “zombie” machine tries to connect with other bots in the peer-to-peer network (CISA, 2014; Krebs, 2014a). Reaching out via UDP to other infected machines listed as hardcoded IP addresses in the Trojan payload, the bot then establishes a TCP connection via several proxy layers with the peer node(s). Decentralized and multi-tiered, the new bot then received information on the C2 server and will contact it via a HTTP POST request, registering itself to the command server’s disposal (Andriesse, Rossow, Stone-Gross, Plohmann, & Bos, 2011). In addition to the proxy-tiered, decentralized peer-to-peer setup, the GOZ botnet benefited from two other security features: To protect the Command and Control server – the most sensitive link in the chain, the communication between slave and master was RSA encrypted and used a Domain Generation Algorithm (DGA) that randomly creates “rendezvous points” between the infected machine and its C2 server when conventional connection attempts failed (Chowdhury, 2019; Dell SecureWorks CTU, 2014). The main advantage of a DGA is that blacklist-based malware protection can hardly block randomly generated domains and is hence unable to prevent the malicious connection attempt with a C2 server (Plohmann, Yakdan, Klatt, Bader, & Gerhards-Padilla, 2016).

In 2014, a US-lead joint operation between law enforcement agencies, private cybersecurity firms and researchers under the title Operation Tovar successfully interrupted the global GOZ botnet (Johnson, 2014). Despite the successful destruction of P2P network – a success that is considered “the most expansive botnet takeovers and takedowns in history” (until 2014), security companies noticed the reconstruction of a GameOver ZeuS derivative only weeks after the takedown and again with connections to Ukraine and Russia (Dell SecureWorks CTU, 2014; Krebs, 2014a, p. 2, 2014b). In an equal cat-and-mouse fashion, the Russian national Evgeniy Mikhailovich Bogachev was indicted in the US for creating the GOZ botnet and associated cybercrimes (Gilbert, 2014). Despite a FBI bounty of $3 million on his head, Bogachev is suspected to live “in great wealth on the Russian Black Sea coast” (Perez, 2015; Rüesch, 2017, p. 2). A partial success in persecuting international cybercrime that reveals the lack of joint international action against malicious actors, particularly between non-extradition countries such as Russia and the US.

As more and more poorly secured machines are being connected to the internet (Internet of Things), a growing cyberspace offers more potential victims and botnet are being sold as “off the shelf” products, the impact factor, financial risks and incentives of botnets will continue to rise (Sabanal, 2016). GameOver ZeuS showed that a large-scale attack does not necessarily require a very sophisticated attack vector to exploit previously unknown vulnerabilities (so-called zero-days) but may be successful by the sheer size of the attacking network in combination with strong protection measures. The takedown and quick resurrection of GOZ as much as the indictment and following non-extradition of responsible attackers are prime examples of the cat-and-mouse game between law enforcement and cyber criminals: Successful operations are contrasted by structural deficiencies in the (international) cybercrime persecution.

Enhancing cyber defense, one must address problems “in the game” as much as “of the game”: To improve counter-measures like Operation Tovar, private and public sector must better understand and measure the factors for successful disruption in order to prioritize technological and organizational development on defensive measures. Following Healey, Jenkins and Work (2020), a focus on the defense will strengthen the “cats in the game”. With regards to “problems of the game”, it remains imperative to establish international rules in the hard-to-control jurisdiction of cyber space, as well as a better research on the contested question of whether cyber deterrence against vigilante states, such as Russia, China or North Korea, is effective (Healey & Jenkins, 2019). Analog to when formal agreements and stable structures ended most freebooting in the 18th century, the global community must address buccaneering cybercrimes with changes in and to the game.

This paper was submitted as final paper to the course "Cyber Risks and Vulnerabilities" at Columbia University's School of International and Public Administration (SIPA), lectured by Prof Natalie Vanatta and Prof Janee Potts.

LITERATURE

• Andriesse, D., Rossow, C., Stone-Gross, B., Plohmann, D., & Bos, H. (2011). Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus.
• Chowdhury, S. A. (2019, August 30). Domain Generation Algorithm – DGA in Malware - Hackers Terminal. Retrieved November 21, 2020, from https://hackersterminal.com/domain-generation-algorithm-dga-in-malware/
• CISA. (2014). CERT-Alert TA14-150A: GameOver Zeus P2P Malware | CISA. Retrieved from https://us-cert.cisa.gov/ncas/alerts/TA14-150A
• Dell SecureWorks CTU. (2014, July 14). Gameover Zeus re-emerges without peer-to-peer capability | Secureworks. Retrieved November 21, 2020, from https://www.secureworks.com/blog/gameover-zeus-re-emerges-without-peer-to-peer-capability
• FBI. (2014, June 2). GameOver Zeus Botnet Disrupted — FBI. Federal Bureau of Investigation News. Retrieved from https://www.fbi.gov/news/stories/gameover-zeus-botnet-disrupted
• Gilbert, D. (2014, June 3). Gameover for Slavik - The Cybercrime Kingpin Behind the Zeus Malware. International Business Times. Retrieved from https://www.ibtimes.co.uk/gameover-slavik-cybercrime-kingpin-behind-zeus-malware-1451095
• Healey, J., & Jenkins, N. (2019). Rough-And-Ready: A Policy Framework to Determine if Cyber Deterrence is Working or Failing. International Conference on Cyber Conflict, CYCON, 2019-May, 1–20. https://doi.org/10.23919/CYCON.2019.8756890
• Healey, J., Jenkins, N., & Work, J. D. (2020). Defenders Disrupting Adversaries: Framework, Dataset, and Case Studies of Disruptive Counter-Cyber Operations. International Conference on Cyber Conflict, CYCON, 2020-May, 251–274. https://doi.org/10.23919/CyCon49761.2020.9131725
• Johnson, A. L. (2014, June 1). International Takedown Wounds Gameover Zeus Cybercrime Network. Retrieved November 23, 2020, from https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5a0ee571-2b14-4e02-8ff7-2c32e9227669&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
• Krebs, B. (2010, January 20). Top 10 Ways to Get Fired as a Money Mule — Krebs on Security. Retrieved November 21, 2020, from https://krebsonsecurity.com/2010/01/top-10-ways-to-get-fired-as-a-money-mule/
• Krebs, B. (2011, November 30). DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists — Krebs on Security. Retrieved November 21, 2020, from https://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameover-for-banks-victims-in-cyber-heists/
• Krebs, B. (2013, February 13). DDoS Attack on Bank Hid $900,000 Cyberheist — Krebs on Security. Retrieved November 21, 2020, from https://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/
• Krebs, B. (2014a, June 2). ‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge. Krebs on Security. Retrieved from http://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge/
• Krebs, B. (2014b, July 10). Crooks Seek Revival of ‘Gameover Zeus’ Botnet — Krebs on Security. Retrieved November 23, 2020, from https://krebsonsecurity.com/2014/07/crooks-seek-rivival-of-gameover-zeus-botnet/
• Perez, E. (2015, February 24). US offers $3m reward for arrest of Russian hacker Evgeniy Bogachev - BBC News. Retrieved November 23, 2020, from https://www.bbc.com/news/world-us-canada-31614819
• Plohmann, D., Yakdan, K., Klatt, M., Bader, J., & Gerhards-Padilla, E. (2016). A comprehensive measurement study of domain generating malware. Proceedings of the 25th USENIX Security Symposium, 263–278.
• Puri, R. (2003). Bots & Botnet: An Overview GSEC Practical.
• Rüesch, A. (2017, March 17). Spione und Betrüger unter einer Decke | NZZ. Neue Züricher Zeitung. Retrieved from https://www.nzz.ch/international/skandal-um-russlands-geheimdienst-spione-und-betrueger-unter-einer-decke-ld.151832
• Sabanal, P. (2016, February 17). Thingbots: The Future of Botnets in the Internet of Things. Retrieved November 21, 2020, from https://securityintelligence.com/thingbots-the-future-of-botnets-in-the-internet-of-things/
• Storm, D. (2014, June 2). Wham bam: Global Operation Tovar whacks CryptoLocker ransomware & GameOver Zeus botnet | Computerworld Blogs. Computerworld. Retrieved from https://web.archive.org/web/20140703092912/http://blogs.computerworld.com/cybercrime-and-hacking/23980/wham-bam-global-operation-tovar-whacks-cryptolocker-ransomware-gameover-zeus-botnet