How the FBI Used Old-Fashioned Sleuthing and High-Tech Tricks to Foil Two Dastardly Viruses

Innovation, the Internet, gadgets, and more.
June 3 2014 1:45 PM

To Catch a Cyberthief

How the FBI foiled the dangerous malwares GameOver Zeus and Cryptolocker.

(Continued from Page 1)

Meanwhile, a “confidential human source” provided the FBI with an email address that was being used by one of the GOZ operators. With a search warrant, officers were then able to retrieve from a service provider all of the records related to that email address. These records included when the email account was accessed and from what IP addresses, as well as the name associated with the account: Evgeniy Bogachev. Cross-referencing the IP addresses used to access Bogachev’s email account with those used to access visitcoastweekend.com and a CryptoLocker command-and-control server (traced from the U.S. to the U.K. to Luxembourg), the investigators found that there was significant overlap, leading them to conclude that Bogachev was involved in both schemes. Moreover, the fact that he had high-level administrative access the GOZ server led them to believe he was “a leader of the GOZ conspiracy.”

The identification of Bogachev is no small feat, as underlined by the fact that, thus far, all the FBI knows about his co-conspirators is their online aliases (“Temp Special,” “Ded,” “Chingiz 911,” and “mr. kykypyky”), and an email address used by one of them. (Don’t respond if he writes to you offering part-time work.) Bogachev used his real name on the email account and didn’t mask his IP address so it was possible to trace him  when he accessed the GOZ and CryptoLocker servers, landing him on the FBI Cyber’s Most Wanted page.

The work of tracking down Bogachev and the servers running the GOZ and CryptoLocker operations was largely low-tech: interviewing money mules and victims, cross-referencing lengthy data logs, combing through websites and hacker forums (and translating them from Russian). By contrast, the takedown efforts this weekend involved extensive technical expertise—much of which is redacted from the FBI’s public records—to cut off the communications between all of GOZ’s complicated layers of peer and proxy nodes while also seizing the servers issuing them commands, including machines in Canada, Ukraine, and Kazakhstan.

Advertisement

On top of that, law enforcement had to make sure that Bogachev and his associates would be unable to re-establish control over the infected machines through a new server, something which the malware is specifically designed to do by means of a domain generation algorithm (DGA), which generates 1,000 domain names every week—long strings of letters followed by one of six top level domains, either .com, .net, .org, .biz, .info, or .ru. Every week, every machine infected with GOZ will go through the list and try to contact each of the thousand domains until a connection is established. So if the attackers were able to take set up any one of those domains during the appropriate week, they would be able to re-establish communication with all of the infected machines and regain control of the bot, rendering the FBI’s efforts largely useless. Thanks to the DGA, bots like CryptoLocker and Goz are effectively cyber-hydras. Cut off one server and a thousand more grow back in its place. To combat this, the FBI reverse-engineered the DGA, so they would know which thousand domains were being selected every week, and then on May 28 acquired a temporary restraining order that required domain registries in the U.S. to redirect any attempts to contact those domains to a substitute, government-run server. The domains generated by the DGA with the .ru top-level domain are controlled by registries in Russia, so the U.S. has no jurisdiction to force them to redirect traffic. Instead, the restraining order required U.S. service providers to block any connection requests to the .ru domains generated by the DGA.

All in all, it’s a massive and multi-layered strike against every element of the infrastructure underlying GOZ and CryptoLocker, though it remains to be seen whether the FBI and its partners have successfully thought of, and blocked, every possible way for the bots to be resurrected. In the meantime, it certainly wouldn’t hurt to run a virus scan.

There are several important lessons to be gleaned—about human carelessness (for all his technical genius, Bogachev made some elementary mistakes, like not changing his IP address whenever he accessed visitcoastweekend.com), about the digital footprints we leave regardless of how hard we try to hide them (the chain of evidence pointing back to Bogachev is damning), about the value of technical and social and legal mechanisms (reverse-engineering the DGA, interviewing informants and victims, and obtaining the restraining order were all crucial), about the importance of international collaboration for fighting cybercrime (none of this would have been possible without extensive cooperation from the U.K., Luxembourg, and quite likely other countries as well), and also about the clever ways countries can leverage their own Internet infrastructure to shield themselves from online activity beyond their control (the FBI can’t redirect .ru servers, but it can block U.S. computers from accessing them). More than anything, perhaps, it’s a lesson in how smart and sophisticated and careful today’s cybercriminals are—and how today’s cybersleuths may still be just a bit—or byte—ahead of them.

Josephine Wolff is a Ph.D. candidate at MIT and a fellow at Harvard’s Berkman Center for Internet and Society. Follow her on Twitter.

TODAY IN SLATE

Culturebox

The Ebola Story

How our minds build narratives out of disaster.

The Budget Disaster That Completely Sabotaged the WHO’s Response to Ebola

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

The Shooting Tragedies That Forged Canada’s Gun Politics

A Highly Unscientific Ranking of Crazy-Old German Beers

Education

Welcome to 13th Grade!

Some high schools are offering a fifth year. That’s a great idea.

Culturebox

The Actual World

“Mount Thoreau” and the naming of things in the wilderness.

Want Kids to Delay Sex? Let Planned Parenthood Teach Them Sex Ed.

Would You Trust Walmart to Provide Your Health Care? (You Should.)

  News & Politics
Politics
Oct. 22 2014 9:42 PM Landslide Landrieu Can the Louisiana Democrat use the powers of incumbency to save herself one more time?
  Business
Continuously Operating
Oct. 22 2014 2:38 PM Crack Open an Old One A highly unscientific evaluation of Germany’s oldest breweries.
  Life
Gentleman Scholar
Oct. 22 2014 5:54 PM May I Offer to Sharpen My Friends’ Knives? Or would that be rude?
  Double X
The XX Factor
Oct. 22 2014 4:27 PM Three Ways Your Text Messages Change After You Get Married
  Slate Plus
Tv Club
Oct. 22 2014 5:27 PM The Slate Walking Dead Podcast A spoiler-filled discussion of Episodes 1 and 2.
  Arts
Culturebox
Oct. 22 2014 11:54 PM The Actual World “Mount Thoreau” and the naming of things in the wilderness.
  Technology
Future Tense
Oct. 22 2014 5:33 PM One More Reason Not to Use PowerPoint: It’s The Gateway for a Serious Windows Vulnerability
  Health & Science
Wild Things
Oct. 22 2014 2:42 PM Orcas, Via Drone, for the First Time Ever
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.