Misplaced Pages

#727272

76-481: The original GameOver ZeuS was propagated through spam emails containing links to websites that would download the malware onto the victim's computer. The infected computer was then integrated into a botnet , considered to be one of the most sophisticated and secure botnets in the world at the time. The GOZ botnet was particularly notable for its decentralized, peer-to-peer infrastructure, which combined with other security measures such as rootkits made shutting down

152-484: A legal remedy , e.g. on the basis of trespass to chattels . A number of large civil settlements have been won in this way, although others have been mostly unsuccessful in collecting damages. Criminal prosecution of spammers under fraud or computer crime statutes is also common, particularly if they illegally accessed other computers to create botnets , or the emails were phishing or other forms of criminal fraud. Finally, in most countries specific legislation

228-757: A revolution in 2014. OPEC member states were also targeted. Searches were tailored to the targeted country: searches in Georgia sought information on specific government officials, searches in Turkey looked for information regarding Syria, searches in Ukraine used generic keywords such as "federal security service" and "security agent", and searches in the US looked for documents containing phrases such as "top secret" and "Department of Defense". Botnets used for espionage were run separately from those used for financial crime. It

304-433: A "destination account" that money would be indirectly sent to. Botnet managers did not need to use the token grabber panel, as they were allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers. GOZ was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies. The emails would contain

380-456: A crawler and automatic blacklisting, halting all communications between the flagged IP and the flagging bot. Each bot also had a pre-existing list of blacklisted addresses known to be controlled by security organizations. Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address. The effect of this was to prevent individuals or groups with one IP address from carrying out sinkholing attacks on

456-542: A decryption key. Josephine Wolff, assistant professor of cybersecurity policy at Tufts University , has speculated that the motivation behind pivoting to ransomware was for two reasons: firstly to set up a more secure means of making money off of GOZ, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules, whose loyalties were in question since they did not know they were working for criminals; and secondly to take advantage of

532-409: A form of attention theft , but also dangerous because they may contain links that lead to phishing web sites or sites that are hosting malware or include malware as file attachments . Spammers collect email addresses from chat rooms, websites, customer lists, newsgroups, and viruses that harvest users' address books. These collected email addresses are sometimes also sold to other spammers. At

608-434: A form of distraction during thefts. In 2014, the original GameOver ZeuS botnet was shut down by a collaboration between several countries' law enforcement and private cybersecurity firms, named Operation Tovar . Bogachev was indicted shortly after and a reward of $ 3 million was issued for information leading to his arrest, at the time the highest reward for a cybercriminal in history. Less than two months after Operation Tovar

684-426: A link to a compromised website from which the malware was downloaded. These spam emails were sent via a different botnet, Cutwail , that was frequently rented out by cybercriminals to send spam. From 2011 to 2014, all GameOver ZeuS activity was managed by a single crime syndicate. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out

760-666: A person other than a body corporate. In the United States, many states enacted anti-spam laws during the late 1990s and early 2000s. All of these were subsequently superseded by the CAN-SPAM Act of 2003 , which was in many cases less restrictive. CAN-SPAM also preempted any further state legislation, but it left related laws not specific to e-mail intact. Courts have ruled that spam can constitute, for example, trespass to chattels. Bulk commercial email does not violate CAN-SPAM, provided that it meets certain criteria, such as

836-467: A service provider's network, identify spam, and taking action such as blocking the message or shutting off the source of the message. DNS sinkhole A DNS sinkhole , also known as a sinkhole server , Internet sinkhole , or Blackhole DNS is a Domain Name System (DNS) server that has been configured to hand out non-routable addresses for a certain set of domain names . Computers that use

SECTION 10

#1732776460728

912-462: A sinkhole server defined by the DNS sinkhole administrator. One example of blocking malicious domains is to stop botnets , by interrupting the DNS names the botnet is programmed to use for coordination. Another use is to block ad serving sites, either using a hosts file-based sinkhole or by locally running a DNS server (e.g., using a Pi-hole ). Local DNS servers effectively block ads for all devices on

988-419: A technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies. The origin of and motives for creating the new variant, dubbed "newGOZ", were unclear; Michael Sandee believed newGOZ to be a "trick" to give away the malware's source code and create a distraction for Bogachev to disappear into. However, Malcovery's initial report claimed that

1064-515: A truthful subject line, no forged information in the headers. If it fails to comply with any of these requirements it is illegal. Those opposing spam greeted the new law with dismay and disappointment, almost immediately dubbing it the "You Can Spam" Act. In practice, it had a little positive impact. In 2004, less than one percent of spam complied with CAN-SPAM, although a 2005 review by the Federal Trade Commission claimed that

1140-401: A username and password, such as a one-time-code or security question. The panel existed so that the criminals could quickly and easily request solutions to these measures from the victim. The token grabber panel was titled "World Bank Center", with the slogan "we are playing with your banks". Another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select

1216-453: Is "abusive email", as of the second half of 2007. The sample size for the MAAWG's study was over 100 million mailboxes. In 2018 with growing affiliation networks & email frauds worldwide about 90% of global email traffic is spam as per IPwarmup.com study, which also effects legitimate email senders to achieve inbox delivery. A 2010 survey of US and European email users showed that 46% of

1292-831: Is a side-effect of email spam, viruses , and worms . It happens when email servers are misconfigured to send a bogus bounce message to the envelope sender when rejecting or quarantining email (rather than simply rejecting the attempt to send the message). If the sender's address was forged, then the bounce may go to an innocent party. Since these messages were not solicited by the recipients, are substantially similar to each other, and are delivered in bulk quantities, they qualify as unsolicited bulk email or spam. As such, systems that generate email backscatter can end up being listed on various DNSBLs and be in violation of internet service providers ' Terms of Service . If an individual or organisation can identify harm done to them by spam, and identify who sent it; then they may be able to sue for

1368-575: Is also a medium for fraudsters to scam users into entering personal information on fake Web sites using emails forged to look like they are from banks or other organizations, such as PayPal . This is known as phishing . Targeted phishing, where known information about the recipient is used to create forged emails, is known as spear-phishing . If a marketer has one database containing names, addresses, and telephone numbers of customers, they can pay to have their database matched against an external database containing email addresses. The company then has

1444-456: Is being taken away by newer malware. Similar Russian and Eastern European cybercrime groups: Similar botnets: Spam emails Email spam , also referred to as junk email , spam mail , or simply spam , is unsolicited messages sent in bulk by email ( spamming ). The name comes from a Monty Python sketch in which the name of the canned pork product Spam is ubiquitous, unavoidable, and repetitive. Email spam has steadily grown since

1520-608: Is in place to make certain forms of spamming a criminal offence, as outlined below: Article 13 of the European Union Directive on Privacy and Electronic Communications (2002/58/EC) provides that the EU member states shall take appropriate measures to ensure that unsolicited communications for the purposes of direct marketing are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications,

1596-489: Is known as a bot , short for robot ). In June 2006, an estimated 80 percent of email spam was sent by zombie PCs, an increase of 30 percent from the prior year. An estimated 55 billion email spam were sent each day in June 2006, an increase of 25 billion per day from June 2005. For the first quarter of 2010, an estimated 305,000 newly activated zombie PCs were brought online each day for malicious activity. This number

SECTION 20

#1732776460728

1672-795: Is sent by otherwise reputable companies it is sometimes referred to as Mainsleaze . Mainsleaze makes up approximately 3% of the spam sent over the internet. Many spam emails contain URLs to a website or websites. According to a Cyberoam report in 2014, there are an average of 54 billion spam messages sent every day. "Pharmaceutical products (Viagra and the like) jumped up 45% from last quarter’s analysis, leading this quarter’s spam pack. Emails purporting to offer jobs with fast, easy cash come in at number two, accounting for approximately 15% of all spam email. And, rounding off at number three are spam emails about diet products (such as Garcinia gummi-gutta or Garcinia Cambogia), accounting for approximately 1%." Spam

1748-686: Is slightly lower than the 312,000 of the fourth quarter of 2009. Brazil produced the most zombies in the first quarter of 2010. Brazil was the source of 20 percent of all zombies, which is down from 14 percent from the fourth quarter of 2009. India had 10 percent, with Vietnam at 8 percent, and the Russian Federation at 7 percent. To combat the problems posed by botnets, open relays, and proxy servers, many email server administrators pre-emptively block dynamic IP ranges and impose stringent requirements on other servers wishing to deliver mail. Forward-confirmed reverse DNS must be correctly set for

1824-594: Is to use an animated GIF image that does not contain clear text in its initial frame, or to contort the shapes of letters in the image (as in CAPTCHA ) to avoid detection by optical character recognition tools. Blank spam is spam lacking a payload advertisement. Often the message body is missing altogether, as well as the subject line. Still, it fits the definition of spam because of its nature as bulk and unsolicited email. Blank spam may be originated in different ways, either intentional or unintentionally: Backscatter

1900-512: Is unclear who was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Michael Sandee, another participant in the takedown operation, has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep

1976-479: Is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $ 27 million was stolen. However, Michael Sandee has given a much lower estimate of $ 3 million for the entire duration of CryptoLocker's activity. Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks. Analysis of

2052-504: The IP used to administer the botnet; although he had used a VPN , Bogachev had used the same one for both tasks. The Operation Tovar team also reverse-engineered the malware's DGA, allowing them to preempt any attempts to restore the botnet and redirect such attempts to government-controlled servers. GOZ's C2 servers in Canada, Ukraine, and Kazakhstan were seized by authorities, with Ukraine being

2128-591: The ISP, for example) a naïve ISP may terminate their service for spamming. Spammers frequently seek out and make use of vulnerable third-party systems such as open mail relays and open proxy servers . SMTP forwards mail from one server to another—mail servers that ISPs run commonly require some form of authentication to ensure that the user is a customer of that ISP. Increasingly, spammers use networks of malware-infected PCs ( zombies ) to send their spam. Zombie networks are also known as botnets (such zombifying malware

2204-512: The US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work. Money mules were not aware that they were handling stolen funds or working for a criminal syndicate. GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via keystroke logging . However, the malware was capable of using browser hijacking to bypass two-factor authentication . By presenting

2280-654: The United Kingdom had also provided the FBI with information regarding a GOZ-controlled server in the UK containing records of fraudulent transactions. The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ's botnet infrastructure. Bogachev was identified as the head of the GameOver ZeuS network by cross-referencing the IP address used to access his email with

2356-676: The United States $ 21.58 billion annually, while another reported the cost at $ 17 billion, up from $ 11 billion in 2003. In 2004, the worldwide productivity cost of spam has been estimated to be $ 50 billion in 2005. Because of the international nature of spam, the spammer, the hijacked spam-sending computer, the spamvertised server, and the user target of the spam are all often located in different countries. As much as 80% of spam received by Internet users in North America and Europe can be traced to fewer than 200 spammers. In terms of volume of spam: According to Sophos ,

Gameover ZeuS - Misplaced Pages Continue

2432-607: The amount of sexually explicit spam had significantly decreased since 2003 and the total volume had begun to level off. Many other observers viewed it as having failed, although there have been several high-profile prosecutions. Spammers may engage in deliberate fraud to send out their messages. Spammers often use false names, addresses, phone numbers, and other contact information to set up "disposable" accounts at various Internet service providers. They also often use falsified or stolen credit card numbers to pay for these accounts. This allows them to move quickly from one account to

2508-609: The beginning of the Internet (the ARPANET ), sending of commercial email was prohibited. Gary Thuerk sent the first email spam message in 1978 to 600 people. He was reprimanded and told not to do it again. Now the ban on spam is enforced by the Terms of Service / Acceptable Use Policy (ToS/AUP) of internet service providers (ISPs) and peer pressure. Spam is sent by both otherwise reputable organizations and lesser companies. When spam

2584-479: The botnet extremely difficult. The botnet's activities were additionally directed by an organized crime group headed by Bogachev and referring to itself as the "business club", which was primarily based in Russia and Eastern Europe. The syndicate further complicated attempts to combat it by law enforcement and security researchers using a large money laundering network and DDoS attacks , used as both retaliation and as

2660-455: The botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine, and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government. The botnet in Ukraine only began to conduct such searches after the country's pro-Russian government collapsed amidst

2736-463: The botnet were known to exist. The creator and main developer of GameOver ZeuS was Evgeniy "slavik" Bogachev, the creator of the original Zeus Trojan and the immediate predecessor to GOZ, Jabber Zeus . Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of

2812-520: The botnet were unsuccessful, including one attempt in March 2012 by Microsoft to use legal action to have GOZ-controlled servers and domains seized, which failed due to the peer-to-peer architecture of GameOver ZeuS. Planning for Operation Tovar began in 2012, with the Federal Bureau of Investigation beginning to work together with private cybersecurity firms to combat GOZ. By 2014, authorities in

2888-404: The botnet — particularly by restricting the activities of crawlers and sensors — as well as to prevent shutdown attempts. The effectiveness of these mechanisms have led GameOver ZeuS to be considered a sophisticated botnet, with US Deputy Attorney General James M. Cole calling it “the most sophisticated and damaging botnet we have ever encountered”. Cybersecurity researcher Brett Stone-Gross, who

2964-440: The botnet's current C2 servers were in danger of being shut down, the botmasters could set up a new server using a domain in the generated list and re-establish control over the network. A special "debug build" of the malware existed that provided detailed logs regarding the network. The debug build existed to garner insight into security researchers' activities against the botnet and develop appropriate responses. The malware itself

3040-464: The botnet. GOZ's botmasters were known to have carried out DDoS attacks in response to sinkholing attempts. In the event a GOZ bot was unable to contact any peers, it would use a domain generation algorithm (DGA) to re-establish contact with the C2 servers and obtain a new list of peers. The DGA generated one thousand domains every week and each bot would attempt to contact every domain; this meant that if

3116-531: The business club, mostly Russians and Ukrainians. The network also employed technical support staff for the malware. The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar . Business club members did not exclusively use GOZ and were often members of other malware networks. In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in

Gameover ZeuS - Misplaced Pages Continue

3192-569: The choice between these options to be determined by national legislation. In the United Kingdom, for example, unsolicited emails cannot be sent to an individual subscriber unless prior permission has been obtained or unless there is a pre-existing commercial relationship between the parties. The 2010 Fighting Internet and Wireless Spam Act (which took effect in 2014) is Canadian legislation meant to fight spam. The Spam Act 2003 , which covers some types of email and phone spam. Penalties are up to 10,000 penalty units , or 2,000 penalty units for

3268-503: The criminals' access to data on infected computers that was significant to victims but was of no value to criminals, such as photographs and emails. Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from. About 200,000 computers were attacked by Cryptolocker beginning in 2013. The amount of money Bogachev and associates made from CryptoLocker

3344-466: The criminals, hiding its origin and destination from authorities. By June 2014 it was estimated that between $ 70 million and $ 100 million had been stolen via GOZ. The siphoning of money followed the day-night line , beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team

3420-534: The early 1990s, and by 2014 was estimated to account for around 90% of total email traffic. Since the expense of the spam is borne mostly by the recipient, it is effectively postage due advertising. Thus, it is an example of a negative externality . The legal definition and status of spam varies from one jurisdiction to another, but nowhere have laws and lawsuits been particularly successful in stemming spam. Most email spam messages are commercial in nature. Whether commercial or not, many are not only annoying as

3496-400: The email had previously traversed many legitimate servers. Spoofing can have serious consequences for legitimate email users. Not only can their email inboxes get clogged up with "undeliverable" emails in addition to volumes of spam, but they can mistakenly be identified as a spammer. Not only may they receive irate email from spam victims, but (if spam victims report the email address owner to

3572-407: The espionage secret. Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended, despite living openly and under his own name in Russia. GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1, also known as Jabber Zeus . Jabber Zeus was run by an organized crime syndicate, of which Bogachev

3648-467: The first to do so on May 7, 2014. With preparations finished, Operation Tovar began on May 30. The operation was a sinkholing attack that cut off communication between the bots and their command servers, redirecting the communication towards the aforementioned government-controlled servers. The technical details of the operation largely remain classified. On June 2, the Department of Justice announced

3724-558: The infected machines was sent. This infrastructure made tracing the botnet's C2 servers more difficult, as the botnet herders were only ever directly communicating with a small subset of infected computers at a time. Although the botnet as a whole was structured like this, the network was partitioned into several "sub-botnets", each run by a different botmaster. Up to 27 of these sub-botnets existed, but not all were actively used, with some existing for debugging purposes. GOZ contained several security features designed to prevent full analysis of

3800-455: The local hosts file on a computer is checked before DNS servers, and can be used to block sites in the same way. Sinkholes can be used both constructively, to contain threats such as WannaCry and Avalanche , and destructively, for example disrupting DNS services in a DoS attack. DNS sinkholing can be used to protect users by intercepting DNS request attempting to connect to known malicious domains and instead returning an IP address of

3876-471: The major sources of spam in the fourth quarter of 2008 (October to December) were: When grouped by continents, spam comes mostly from: In terms of number of IP addresses: the Spamhaus Project ranks the top three as the United States, China, and Russia, followed by Japan, Canada, and South Korea. In terms of networks: As of 13 December 2021 , the three networks hosting

SECTION 50

#1732776460728

3952-454: The malware. At the peak of GOZ activity from 2012 to 2013, the botnet comprised between 500,000 and one million compromised computers. Botnet-building capabilities were common to all ZeuS variants; however, while previous iterations of the malware created centralized botnets, wherein all infected devices were connected directly to a command-and-control (C2) server, GameOver ZeuS utilized a decentralized, peer-to-peer infrastructure. The botnet

4028-414: The means to send email to people who have not requested email, which may include people who have deliberately withheld their email address. Image spam , or image-based spam, is an obfuscation method by which text of the message is stored as a GIF or JPEG image and displayed in the email. This prevents text-based spam filters from detecting and blocking spam messages. Image spam was reportedly used in

4104-419: The mid-2000s to advertise " pump and dump " stocks. Often, image spam contains nonsensical, computer-generated text which simply annoys the reader. However, new technology in some programs tries to read the images by attempting to find text in these images. These programs are not very accurate, and sometimes filter out innocent images of products, such as a box that has words on it. A newer technique, however,

4180-518: The most spammers are ChinaNet , Amazon , and Airtel India . The U.S. Department of Energy Computer Incident Advisory Capability (CIAC) has provided specific countermeasures against email spamming. Some popular methods for filtering and refusing spam include email filtering based on the content of the email, DNS-based blackhole lists ( DNSBL ), greylisting , spamtraps , enforcing technical requirements of email ( SMTP ), checksumming systems to detect bulk email, and by putting some sort of cost on

4256-410: The new Trojan represented an earnest attempt to revive the botnet. The original GameOver ZeuS and newGOZ botnets were separate entities; the list of domains generated by their respective DGAs were different, despite the algorithms being similar, and the original GOZ botnet was described by Malcovery as still "locked down". The new malware was divided into two variants. The variants differed in two areas:

4332-412: The next as the host ISPs discover and shut down each one. Senders may go to great lengths to conceal the origin of their messages. Large companies may hire another firm to send their messages so that complaints or blocking of email falls on a third party. Others engage in spoofing of email addresses (much easier than IP address spoofing ). The email protocol ( SMTP ) has no authentication by default, so

4408-652: The number of domains generated by the DGA, with one generating 1,000 domains per day and the other generating 10,000; and the geographic distribution of infections – the former variant primarily infected systems in the US, and the latter targeted computers in Ukraine and Belarus. On July 25, 2014, it was estimated that 8,494 machines had been infected by newGOZ. Other GOZ variants, including "Zeus-in-the-Middle", which targets mobile phones, have been reported as well. As of 2017, variants of Zeus constitute 28% of all banking malware. However, Sandee has claimed that much of Zeus's market share

4484-526: The outcome of Operation Tovar. An indictment against Bogachev was also unsealed that same day. However, authorities also warned that the botnet would likely return within two weeks. On July 11, the DOJ stated that as a result of the operation, GOZ infections were down 32 percent. On February 24, 2015, the Justice Department announced a reward of $ 3 million for information leading to Bogachev's arrest, at

4560-437: The outgoing mail server and large swaths of IP addresses are blocked, sometimes pre-emptively, to prevent spam. These measures can pose problems for those wanting to run a small email server off an inexpensive domestic connection. Blacklisting of IP ranges due to spam emanating from them also causes problems for legitimate email servers in the same IP range. The total volume of email spam has been consistently growing, but in 2011

4636-466: The respondents had opened spam messages, although only 11% had clicked on a link. According to Steve Ballmer in 2004, Microsoft founder Bill Gates receives four million emails per year, most of them spam. This was originally incorrectly reported as "per day". At the same time Jef Poskanzer , owner of the domain name acme.com, was receiving over one million spam emails per day. A 2004 survey estimated that lost productivity costs Internet users in

SECTION 60

#1732776460728

4712-408: The sender via a proof-of-work system or a micropayment . Each method has strengths and weaknesses and each is controversial because of its weaknesses. For example, one company's offer to "[remove] some spamtrap and honeypot addresses" from email lists defeats the ability for those methods to identify spammers. Outbound spam protection combines many of the techniques to scan messages exiting out of

4788-445: The sinkhole fail to access the real site. The higher up the DNS resolution chain the sinkhole is, the more requests will fail, because of the greater number of lower nameservers that in turn serve a greater number of clients. Some of the larger botnets have been made unusable by top-level domain sinkholes that span the entire Internet. DNS Sinkholes are effective at detecting and blocking bots and other malicious traffic. By default,

4864-513: The spammer can pretend to originate a message apparently from any email address. To prevent this, some ISPs and domains require the use of SMTP-AUTH , allowing positive identification of the specific account from which an email originates. Senders cannot completely spoof email delivery chains (the 'Received' header), since the receiving mailserver records the actual connection from the last mailserver's IP address. To counter this, some spammers forge additional delivery headers to make it appear as if

4940-413: The time the largest-ever reward for a cybercriminal. Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails. Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux ,

5016-417: The trend seemed to reverse. The amount of spam that users see in their mailboxes is only a portion of total spam sent, since spammers' lists often contain a large percentage of invalid addresses and many spam filters simply delete or reject "obvious spam". The first known spam email, advertising a DEC product presentation, was sent in 1978 by Gary Thuerk to 600 addresses, the total number of users on ARPANET

5092-504: The victim with a false version of their bank's login page, a criminal could request whatever code or information was needed to log into the victim's account. Once the victim "logged in" to the false page with this information, they would receive a "please wait" or error screen while the credentials were sent to the criminals. With this information, the malware operators could access the bank account and steal money, usually hundreds of thousands or millions of dollars. In one instance, $ 6.9 million

5168-400: Was 2600 at the time though software limitations meant only slightly more than half of the intended recipients actually received it. As of August 2010, the number of spam messages sent per day was estimated to be around 200 billion. More than 97% of all emails sent over the Internet in 2008 were unwanted, according to a Microsoft security report. MAAWG estimates that 85% of incoming mail

5244-402: Was a key member, that had largely dissolved in 2010 due to police action. In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus. In May 2011, the source code for Zeus

5320-462: Was also difficult to remove, owing to a rootkit contained in it. The rootkit, Necurs , was taken from a different piece of malware. The interface controlling the botnet could be used to read data logged by the bots and execute commands, including custom scripts. A special token grabber panel existed for man-in-the-browser attacks used to obtain bank login credentials; logging into a bank account usually involves authentication measures in addition to

5396-500: Was brought on by the Federal Bureau of Investigation to analyze GameOver ZeuS, similarly acknowledged that the botnet was well-secured against the efforts of law enforcement and security experts. Crawlers were inhibited via various means. Each bot had fifty peers; however, a bot that was requested to provide a list of its peers would only return ten. Additionally, requesting peer lists was rate-limited such that rapid requests from an IP address would result in that address being flagged as

5472-433: Was executed, a new strain of GameOver ZeuS was discovered. Named "newGOZ", it lacked peer-to-peer capabilities but otherwise shared ninety percent of its codebase with the original GOZ. The involvement of the original GameOver ZeuS administrators in newGOZ's activity since its creation is disputed. Machines infected with GOZ were integrated into a botnet , a system of several devices that could be controlled remotely through

5548-530: Was leaked, resulting in a proliferation of variants. Graff has suggested the possibility that Bogachev himself was responsible for the leak. The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel. Other names have included peer-to-peer ZeuS, ZeuS3, and GoZeus. The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed " Operation Tovar ". Three previous attempts between 2012 and January 2013 to take down

5624-450: Was organized into three layers. The lowest layer was made up of the infected machines, some of which were manually designated "proxy bots" by the criminal group. Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of dedicated servers owned by the group. The second layer served to create distance between the infected machines and the highest layer, from which commands were issued and to which data from

5700-459: Was stolen from a single victim. In 2013, GOZ accounted for 38% of thefts pursued in this manner. Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to create a diversion. Stolen money was routed through a large network of money mules before it made it to

5776-645: Was west of them when their shift ended. The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe , two regions in China's Heilongjiang province on the Russia-China border. In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker , a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for

#727272