How the FBI Used Old-Fashioned Sleuthing and High-Tech Tricks to Foil Two Dastardly Viruses

Innovation, the Internet, gadgets, and more.
June 3 2014 1:45 PM

To Catch a Cyberthief

How the FBI foiled the dangerous malwares GameOver Zeus and Cryptolocker.

(Continued from Page 1)

Meanwhile, a “confidential human source” provided the FBI with an email address that was being used by one of the GOZ operators. With a search warrant, officers were then able to retrieve from a service provider all of the records related to that email address. These records included when the email account was accessed and from what IP addresses, as well as the name associated with the account: Evgeniy Bogachev. Cross-referencing the IP addresses used to access Bogachev’s email account with those used to access visitcoastweekend.com and a CryptoLocker command-and-control server (traced from the U.S. to the U.K. to Luxembourg), the investigators found that there was significant overlap, leading them to conclude that Bogachev was involved in both schemes. Moreover, the fact that he had high-level administrative access the GOZ server led them to believe he was “a leader of the GOZ conspiracy.”

The identification of Bogachev is no small feat, as underlined by the fact that, thus far, all the FBI knows about his co-conspirators is their online aliases (“Temp Special,” “Ded,” “Chingiz 911,” and “mr. kykypyky”), and an email address used by one of them. (Don’t respond if he writes to you offering part-time work.) Bogachev used his real name on the email account and didn’t mask his IP address so it was possible to trace him  when he accessed the GOZ and CryptoLocker servers, landing him on the FBI Cyber’s Most Wanted page.

The work of tracking down Bogachev and the servers running the GOZ and CryptoLocker operations was largely low-tech: interviewing money mules and victims, cross-referencing lengthy data logs, combing through websites and hacker forums (and translating them from Russian). By contrast, the takedown efforts this weekend involved extensive technical expertise—much of which is redacted from the FBI’s public records—to cut off the communications between all of GOZ’s complicated layers of peer and proxy nodes while also seizing the servers issuing them commands, including machines in Canada, Ukraine, and Kazakhstan.

Advertisement

On top of that, law enforcement had to make sure that Bogachev and his associates would be unable to re-establish control over the infected machines through a new server, something which the malware is specifically designed to do by means of a domain generation algorithm (DGA), which generates 1,000 domain names every week—long strings of letters followed by one of six top level domains, either .com, .net, .org, .biz, .info, or .ru. Every week, every machine infected with GOZ will go through the list and try to contact each of the thousand domains until a connection is established. So if the attackers were able to take set up any one of those domains during the appropriate week, they would be able to re-establish communication with all of the infected machines and regain control of the bot, rendering the FBI’s efforts largely useless. Thanks to the DGA, bots like CryptoLocker and Goz are effectively cyber-hydras. Cut off one server and a thousand more grow back in its place. To combat this, the FBI reverse-engineered the DGA, so they would know which thousand domains were being selected every week, and then on May 28 acquired a temporary restraining order that required domain registries in the U.S. to redirect any attempts to contact those domains to a substitute, government-run server. The domains generated by the DGA with the .ru top-level domain are controlled by registries in Russia, so the U.S. has no jurisdiction to force them to redirect traffic. Instead, the restraining order required U.S. service providers to block any connection requests to the .ru domains generated by the DGA.

All in all, it’s a massive and multi-layered strike against every element of the infrastructure underlying GOZ and CryptoLocker, though it remains to be seen whether the FBI and its partners have successfully thought of, and blocked, every possible way for the bots to be resurrected. In the meantime, it certainly wouldn’t hurt to run a virus scan.

There are several important lessons to be gleaned—about human carelessness (for all his technical genius, Bogachev made some elementary mistakes, like not changing his IP address whenever he accessed visitcoastweekend.com), about the digital footprints we leave regardless of how hard we try to hide them (the chain of evidence pointing back to Bogachev is damning), about the value of technical and social and legal mechanisms (reverse-engineering the DGA, interviewing informants and victims, and obtaining the restraining order were all crucial), about the importance of international collaboration for fighting cybercrime (none of this would have been possible without extensive cooperation from the U.K., Luxembourg, and quite likely other countries as well), and also about the clever ways countries can leverage their own Internet infrastructure to shield themselves from online activity beyond their control (the FBI can’t redirect .ru servers, but it can block U.S. computers from accessing them). More than anything, perhaps, it’s a lesson in how smart and sophisticated and careful today’s cybercriminals are—and how today’s cybersleuths may still be just a bit—or byte—ahead of them.

Josephine Wolff is a Ph.D. candidate in the Engineering Systems Division at the Massachusetts Institute of Technology studying cybersecurity and Internet policy.

TODAY IN SLATE

War Stories

The Right Target

Why Obama’s airstrikes against ISIS may be more effective than people expect.

The One National Holiday Republicans Hope You Forget

It’s Legal for Obama to Bomb Syria Because He Says It Is

I Stand With Emma Watson on Women’s Rights

Even though I know I’m going to get flak for it.

Should You Recline Your Seat? Two Economists Weigh In.

Doublex

It Is Very, Very Stupid to Compare Hope Solo to Ray Rice

Or, why it is very, very stupid to compare Hope Solo to Ray Rice.

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

Why Is This Mother in Prison for Helping Her Daughter Get an Abortion?

Politico Wonders Why Gabby Giffords Is So “Ruthless” on Gun Control

Behold
Sept. 23 2014 4:45 PM An Up-Close Look at the U.S.–Mexico Border
  News & Politics
Foreigners
Sept. 23 2014 6:40 PM Coalition of the Presentable Don’t believe the official version. Meet America’s real allies in the fight against ISIS.
  Business
Moneybox
Sept. 23 2014 2:08 PM Home Depot’s Former Lead Security Engineer Had a Legacy of Sabotage
  Life
Outward
Sept. 23 2014 1:57 PM Would a Second Sarkozy Presidency End Marriage Equality in France?
  Double X
The XX Factor
Sept. 23 2014 2:32 PM Politico Asks: Why Is Gabby Giffords So “Ruthless” on Gun Control?
  Slate Plus
Political Gabfest
Sept. 23 2014 3:04 PM Chicago Gabfest How to get your tickets before anyone else.
  Arts
Brow Beat
Sept. 23 2014 8:38 PM “No One in This World” Is One of Kutiman’s Best, Most Impressive Songs
  Technology
Future Tense
Sept. 23 2014 5:36 PM This Climate Change Poem Moved World Leaders to Tears Today
  Health & Science
Science
Sept. 23 2014 4:33 PM Who Deserves Those 4 Inches of Airplane Seat Space? An investigation into the economics of reclining.
  Sports
Sports Nut
Sept. 23 2014 7:27 PM You’re Fired, Roger Goodell If the commissioner gets the ax, the NFL would still need a better justice system. What would that look like?