Evgeniy Bogachev, GameOver Zeus, Cryptolocker: How the FBI shut down two viruses.

How the FBI Used Old-Fashioned Sleuthing and High-Tech Tricks to Foil Two Dastardly Viruses

How the FBI Used Old-Fashioned Sleuthing and High-Tech Tricks to Foil Two Dastardly Viruses

Innovation, the Internet, gadgets, and more.
June 3 2014 1:45 PM

To Catch a Cyberthief

How the FBI foiled the dangerous malwares GameOver Zeus and Cryptolocker.

(Continued from Page 1)

Meanwhile, a “confidential human source” provided the FBI with an email address that was being used by one of the GOZ operators. With a search warrant, officers were then able to retrieve from a service provider all of the records related to that email address. These records included when the email account was accessed and from what IP addresses, as well as the name associated with the account: Evgeniy Bogachev. Cross-referencing the IP addresses used to access Bogachev’s email account with those used to access visitcoastweekend.com and a CryptoLocker command-and-control server (traced from the U.S. to the U.K. to Luxembourg), the investigators found that there was significant overlap, leading them to conclude that Bogachev was involved in both schemes. Moreover, the fact that he had high-level administrative access the GOZ server led them to believe he was “a leader of the GOZ conspiracy.”

The identification of Bogachev is no small feat, as underlined by the fact that, thus far, all the FBI knows about his co-conspirators is their online aliases (“Temp Special,” “Ded,” “Chingiz 911,” and “mr. kykypyky”), and an email address used by one of them. (Don’t respond if he writes to you offering part-time work.) Bogachev used his real name on the email account and didn’t mask his IP address so it was possible to trace him  when he accessed the GOZ and CryptoLocker servers, landing him on the FBI Cyber’s Most Wanted page.

The work of tracking down Bogachev and the servers running the GOZ and CryptoLocker operations was largely low-tech: interviewing money mules and victims, cross-referencing lengthy data logs, combing through websites and hacker forums (and translating them from Russian). By contrast, the takedown efforts this weekend involved extensive technical expertise—much of which is redacted from the FBI’s public records—to cut off the communications between all of GOZ’s complicated layers of peer and proxy nodes while also seizing the servers issuing them commands, including machines in Canada, Ukraine, and Kazakhstan.


On top of that, law enforcement had to make sure that Bogachev and his associates would be unable to re-establish control over the infected machines through a new server, something which the malware is specifically designed to do by means of a domain generation algorithm (DGA), which generates 1,000 domain names every week—long strings of letters followed by one of six top level domains, either .com, .net, .org, .biz, .info, or .ru. Every week, every machine infected with GOZ will go through the list and try to contact each of the thousand domains until a connection is established. So if the attackers were able to take set up any one of those domains during the appropriate week, they would be able to re-establish communication with all of the infected machines and regain control of the bot, rendering the FBI’s efforts largely useless. Thanks to the DGA, bots like CryptoLocker and Goz are effectively cyber-hydras. Cut off one server and a thousand more grow back in its place. To combat this, the FBI reverse-engineered the DGA, so they would know which thousand domains were being selected every week, and then on May 28 acquired a temporary restraining order that required domain registries in the U.S. to redirect any attempts to contact those domains to a substitute, government-run server. The domains generated by the DGA with the .ru top-level domain are controlled by registries in Russia, so the U.S. has no jurisdiction to force them to redirect traffic. Instead, the restraining order required U.S. service providers to block any connection requests to the .ru domains generated by the DGA.

All in all, it’s a massive and multi-layered strike against every element of the infrastructure underlying GOZ and CryptoLocker, though it remains to be seen whether the FBI and its partners have successfully thought of, and blocked, every possible way for the bots to be resurrected. In the meantime, it certainly wouldn’t hurt to run a virus scan.

There are several important lessons to be gleaned—about human carelessness (for all his technical genius, Bogachev made some elementary mistakes, like not changing his IP address whenever he accessed visitcoastweekend.com), about the digital footprints we leave regardless of how hard we try to hide them (the chain of evidence pointing back to Bogachev is damning), about the value of technical and social and legal mechanisms (reverse-engineering the DGA, interviewing informants and victims, and obtaining the restraining order were all crucial), about the importance of international collaboration for fighting cybercrime (none of this would have been possible without extensive cooperation from the U.K., Luxembourg, and quite likely other countries as well), and also about the clever ways countries can leverage their own Internet infrastructure to shield themselves from online activity beyond their control (the FBI can’t redirect .ru servers, but it can block U.S. computers from accessing them). More than anything, perhaps, it’s a lesson in how smart and sophisticated and careful today’s cybercriminals are—and how today’s cybersleuths may still be just a bit—or byte—ahead of them.

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.