'Gameover ZeuS' P2P bank-theft botnet has infected 678,000 Windows PCs
Dell SecureWorks researcher Brett Stone-Gross deconstructs dangerous money stealer
By Ellen Messmer | Network World US | Published: 10:43, 26 July 2012
The Gameover ZeuS bank-theft botnet, credited to cybercrime gangs in Eastern Europe, is going be hugely difficult to take down because of its peer-to-peer (P2P) design, according to research put forward at the Black Hat Conference.
The P2P botnet is "a private build" based on older ZeuS source code for committing financial cybercrime, says Brett Stone-Gross, senior security researcher at Dell SecureWorks, which published a report analysing the botnet first spotted in January. But instead of the typical ZeuS centralised command-and-control server, "it turns into a P2P network," he says. A P2P botnet has a lot of defensive advantages in escaping shutdown by authorities, because "in P2P, there's no central point to go after."
678,000 infected Windows PCs
Stone-Gross said Dell SecureWorks found out a lot about Gameover ZeuS by "crawling the peers," and found evidence of 678,000 infected Windows PCs. "It's probably the largest banking Trojan today," he says. It's all run as a private operation, probably from Russia and Ukraine, and it doesn't appear that the P2P ZeuS code is being sold online as a kit to other cybercriminals.
Related Articles on Techworld
The gang behind this P2P ZeuS botnet relies on the Cutwail spam botnet to "send massive amounts of email that impersonate well-known brand names including online retailers, cellular phone companies, social networking sites, and financial institutions," according to the SecureWorks report. There's typically what's called the "pony" loader involved that "attempts to download the P2P ZeuS binaries from three hardcoded compromised web servers," the report adds.
In some ways, the P2P version of the ZeuS Trojan is much like its predecessors, capturing information from a victim by means of keystroke logging, form grabbing and credential scraping. "Moreover, ZeuS provides the ability to modify the HTML of a target website, and/or inject additional form fields to dupe a victim into entering sensitive information, a process known as web injects." The P2P ZeuS supports both IPv4 and IPv6 addresses.
"The P2P ZeuS crew digitally signs the configurations and binaries to prevent attackers from pushing arbitrary versions of these files," the report says. "In addition, some of the P2P control messages (e.g., that set up the HTTP proxy nodes are signed to prevent poisoning)."
The P2P ZeuS botnet has infected hundreds of thousands of PCs in 226 countries, with the US, Germany and Italy the hardest hit, according to the report. The botnet steals by accessing bank accounts and making unauthorised large Automated Clearinghouse (ACH) and wire transfers to what are called "money mules," who works as accomplices.
The P2P design of Gameover ZeuS is going to make taking it down very hard, says Stone-Gross. That's become evident with what was hoped to be a successful take-down of the Hlux/Kelihos botnet in March, which researchers worked together to poison, but now shows clear signs of returning. Stone-Gross also notes Microsoft was able to effect a take-down of more commonplace ZeuS and SpyEye servers for financial crime in March because the botnet was centralised.