Justice Dept. Names ZeuS Trojan Author, Seizes Control of P2P "Gameover" Botnet

tsu doh nimh (609154) writes "The U.S. Justice Department announced today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and that the botnet is responsible for more than $100 million in losses from online banking account takeovers. The government alleges that Gameover also was rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes. In a complaint unsealed today, the DOJ further alleges that ZeuS and Gameover are the brainchild of a Russian man named Evgeniy Mikhailovich Bogachev, a.k.a. 'Slavik.'"

Cutting a head off the Hydra

[NoNonAlphaCharsHere]

And where one compromised Windows machine falls, two more will arise to take its place.

Re:Cutting a head off the Hydra

[Alphadecay27]

That sounds poetic and I understand it is a general (likely warranted) shot at windows but it's not really applicable. Cleaning an infected machine results in one less infected machine. The act of cleaning does not generate 2 more infected machines and in fact shrinks the botnet by some, albeit small degree. There is never a situation where cleaning a Windows machine is a bad option - which keeps a significant number of us employed/harassed by friends/relatives.

If you can secure a machine (e.g. by beating the user until they swear they won't click on unknown links) you further reduce the likely-hood of reinfection. I can't remember where I've seen it but I have heard there is some sort of method using a host file but I will not mention it to avoid being down-modded :)

And what will *they* do with it?

[gstoddart]

Because, you know, the NSA et al are doing just as much hacking as the black hats are.

At which point, one must assume they'll continue to use this botnet for their own purposes, and not simply dismantle it.

Why give up an established spy network?

Re:Government Control

[synapse7]

Pretty sure it is their duty to use these computers to gather information for national security.

Only Control For Short While

[mrspoonsi]

According to this article: http://www.bbc.co.uk/news/tech... the C&C servers will be replaced by new ones, so there is only a 2 week window until the network is back up and running.

Re:Only Control For Short While

[Yebyen]

Presumably there's some concept of a CA / revocation list where infected nodes can find messages in a public channel or forum of some kind that tell where to reach the new C&C servers. I'm struggling with this as well, but it seems reasonable to assume from the quoted text that those machines are checking in regularly with the C&C servers, which the authorities now control, and they are checking in less frequently (every 2 weeks) with some other channel that is not controlled by the authorities, where The Highest Bidder with The Official Keys (not a part of the regular everyday C&C architecture) gets to put out new instructions that supersede the old.

I have just made all of this up from my imagination without any research, I'm just thinking, "if I was the one who did it, that's how I'd do it".

Re:We've named the guy, now getting him?

[PRMan]

Yeah, cause he helped the American people by... oh, wait, he's just a straight-up villain...

Re:We've named the guy, now getting him?

[Opportunist]

If you had told someone 25 years ago that criminals in Russia try to steal your ID for profit while in the USA the state tries to invade your privacy to ferret out dissidents...

Waste of time

[dhammabum]

Why aren't they going after terrorists? We all need to sacrifice to defeat terrorism, and if it means compromised systems and stripped bank accounts, well, that is the price we all have to pay.