'Gameover' Financial Botnet Compromises Nearly 700,000 Victims

Security researchers peer into the network of compromised computers and find a well-run operation that steals money from banking customers and has infected systems at 14 of the top 20 Fortune 500 companies.

By: Robert Lemos

A peer-to-peer botnet has infected more than 675,000 systems, including those at 14 of the top 20 Fortune 500 companies, according to research released July 25 at the Black Hat security conference.

The botnet, known as Gameover, uses a private version of the Zeus framework, a collection of software components needed to compromise systems and manage the resulting network of computers. The operation targets the customers of banks in the United States, Europe and Asia, and demonstrates the complexity of such operations, said Brett Stone-Gross, a researcher with managed security services firm Dell Secureworks, who conducted the research.

"There are definitely a number of newer botnets that are using peer-to-peer and moving away from the centralized control model," Stone-Gross said. "There is really no infrastructure that law enforcement could go and take down without backtracking through a number of compromised systems. They have hidden their infrastructure really well."

The researcher has worked on analyzing the botnet since April, and the complex operation of the group behind Gameover.

To infect more systems, the bot operators used a third-party spam botnet, known as Cutwail, to send out copies of legitimate emails that have been modified to spread their malware. People who click on a link in the email will be sent to a server that redirects them to another system hosting an exploit kit, which contains software that specializes in compromising systems. Known as the Blackhole exploit kit, the software is popular among cyber-criminals and attacks a variety of software vulnerabilities.

"The Blackhole kit is not dropping the malware itself," Stone-Gross said. "Instead, it is dropping a downloader known as Pony, which is interesting in that it is not just a loader, but it steals your HTTP, FTP and email credentials."

Once Pony installs Zeus on the compromised system, the software establishes a communications channel back to the attackers using peer-to-peer networking, which makes the botnet harder to dismantle, because there are no central command-and-control servers for authorities to shut down.

Infected machines contact a hard-coded list of peers to get updates and commands. While some peer-to-peer botnets have been taken down by poisoning the peer list, it's not an easy attack path, the researcher said. While researching the botnet, Stone-Gross has seen at least two attempts to disrupt the botnet fail.

The researcher identified 678,205 unique bot IDs belonging to computers using 1.6 million unique IP addresses. Only about 15 percent of the botnet could be contacted from the Internet, Stone-Gross said. The others were likely behind firewalls, routers or proxies, he said.

Like other Zeus variants, the Gameover botnet uses Web injects-a technique for injecting elements into a legitimate Website-to gather critical information from a banking customer that could be used to compromise their account. Nearly 22 percent of the infected computers were located in the United States, while Germany accounted for 7 percent and Italy for another 5 percent.

The sophistication of the operation comes from a great deal of experience in mounting Zeus campaigns, says Stone-Gross.

"There have been a bunch of private versions of Zeus, and these guys are pretty much the group behind all these private versions," the researcher says.