Evgeniy Bogachev, GameOver Zeus, Cryptolocker: How the FBI shut down two viruses.

How the FBI Used Old-Fashioned Sleuthing and High-Tech Tricks to Foil Two Dastardly Viruses

How the FBI Used Old-Fashioned Sleuthing and High-Tech Tricks to Foil Two Dastardly Viruses

Innovation, the Internet, gadgets, and more.
June 3 2014 1:45 PM

To Catch a Cyberthief

How the FBI foiled the dangerous malwares GameOver Zeus and Cryptolocker.

FBI Most Wanted poster for Evgeniy Mikhaylovich Bogachev.
The man behind the bot.

Courtesy FBI

Law enforcement authorities took down the computer networks operating two major pieces of malware this weekend, and in the process added a new name to the FBI’s most wanted list of cybercriminals: Russian hacker Evgeniy Bogachev. Bogachev, the authorities believe, was responsible for operating both viruses and using them to steal millions of dollars. One of the viruses, GameOver Zeus, was able to capture banking credentials and then authorize transfers from their accounts. The other, a ransomware trojan called CryptoLocker, encrypted the files of computers it infected and then demanded payment to decrypt them. Together, GameOver Zeus and CryptoLocker have infected hundreds of thousands of machines.

The court documents concerning the operation make clear just how much work went into figuring out how to stop these viruses and, surprisingly, how much of law enforcement’s success was due not just to savvy technical hacking but also to old-fashioned sleuthing.

Why is it so hard to track down the servers—to say nothing of the people—responsible for operating these viruses? One reason is that there are so many layers of intermediaries between the victims and the perpetrators. Machines infected with GameOver Zeus (GOZ) did not report directly to a single command-and-control server, in the manner of traditional botnets, but instead operated on a peer-to-peer architecture in which they maintained connections to other infected machines, some of which served as intermediate “proxy nodes,” relaying commands from GOZ operators and sending encrypted data back to their “master drop” servers.


So the GOZ operators were not in direct communication with most of the infected machines and, similarly, they were not the direct recipients of the money transfers made using the stolen credentials. Instead, they recruited money mules via spam emails. (Sample text, from the FBI investigation: “If you are taking a career break, are on a maternity leave, recently retired or simply looking for some part-time job, this position is for you.” Imagine, for a moment, one of the largest cybercrime operations in the world being powered by postpartum mothers and aging retirees sitting at home on their laptops, waiting for million-dollar transfers to appear in their bank accounts …) These mules would receive the wire transfers directly from the victims’ accounts, keep a sum as their payment (“Starting salary is $2000 per month plus commission, paid every month”), and send the rest along to another account, presumably belonging to the GOZ operators.

Thus, Bogachev and his co-conspirators put several layers of computers and people between themselves and their crimes. And they also designed some phenomenally sophisticated software—GOZ, for instance, was even able to get into bank accounts protected with two-factor authentication by using a man-in-the-middle attack. Two-factor authentication works by requiring users to provide both a password and another credential, usually a code texted to their phone or stored on a physical token, in order to login. This way, even if a user’s password is stolen—or guessed—attackers still can’t login because they also need the phone or token belonging to that user to get the second factor. But GOZ was able to intercept these codes before they were used. Victims would enter their second authentication code, sent via text or physical token, into a fake login field (which they believed was actually their bank’s login page). The attackers would then capture that code, along with a password, and use both credentials to access the accounts.

Since the millions of dollars being reaped by GOZ-driven thefts were apparently not enough, its operators also began using the virus to install CryptoLocker on already infected machines. CryptoLocker victims were given a 72-hour window to choose between losing all of their data to unbreakable encryption or paying several hundred dollars in bitcoin or anonymous prepaid cash vouchers to retrieve it. (And since the criminals suspected there was still more money to be made here, they then set up a customer service website to help people figure out how to pay their bitcoin ransoms.)

So what were the weak links in this ruthless and lucrative business?

The FBI’s account of its investigation begins with a server in the United Kingdom that they suspected was linked to GOZ operations. U.K. authorities provided the FBI with a copy of that server’s contents, which included a password-protected website called visitcoastweekend.com with a frequently-asked-questions page featuring a bizarre blend of corporate buzzwords and dastardly criminal conspiracy. The page, translated from Russian, stated:

Starting on September we are beginning to work through the panel where you now find yourselves. [Fraudulent] Money transfers and drop [money mule] managers are synchronizing their work through our panel, which enables a much greater optimization of the work process and increase in the productivity of our work. Starting from this moment, all drop [money mule] managers with whom we are working and all [fraudulent] money transferors who work with us are working through this panel. We wish you all successful and productive work.

This was a promising start, but the investigators needed more to conclusively link the site to GOZ. Fortunately, the site also included a detailed list of hundreds of financial transactions with dates, company names, amounts, and the type of transfer. The FBI then began the painstaking work of verifying that these transfers were indeed the work of the GOZ virus. For example, they interviewed representatives from a composite materials company in the Western District of Pennsylvania to confirm that a $198,234.03 wire transfer on Oct. 21, 2011, from a SunTrust Bank account, the details of which were listed in the visitcoastweekend.com ledger, was, in fact, due the result of credentials stolen from a GOZ-infected machine. “For all listed companies with respect to which the FBI manually reviewed information in the ledger and compared it to information from either field interviews or bank fraud reporting, the information was an exact match,” FBI special agent Elliott Peterson wrote in his court declaration.