twitter facebook rss

Europol, FBI, NCA and others disrupt the Gameover Zeus botnet — claim a 2 week window for users to get clean

Posted by on June 2, 2014.

There’s nothing from the FBI yet (at the time of writing); but that will surely follow. In the meantime Europol has announced,

On Friday, 30 May 2014, law enforcement agencies from across the world, supported by the European Cybercrime Centre (EC3) at Europol, joined forces in a coordinated action led by the FBI which ensured the disruption of the Gameover Zeus [GOZeus] botnet and the seizure of computer servers crucial to the malicious software known as CryptoLocker.

ncaLaw enforcement was aided in this operation by leading security firms, including Dell SecureWorks, Microsoft Corporation, McAfee, Symantec,, Afilias, Crowdstrike, F-Secure, Level 3 Communications, Neustar, and Shadowserver. Few of these are backwards at coming forwards, so we will undoubtedly get more details in the days to come. For now it seems that the authorities have taken down or over enough GOZeus servers to feel confident that there is at least a temporary disruption to both the theft of financial data through GOZeus and the distribution of the CryptoLocker ransomware trojan.

Both have been highly successful crime tools. Estimates vary, but it is thought that between 500,000 and 1,000,000 computers are already infected with GOZeus. Known losses are estimated by Europol at around €75 million. However, the FBI estimates that $27 million dollars have been extorted by CryptoLocker alone, while the UK’s National Crime Agency (NCA) suggests that GOZeus “has been assessed as being responsible for the fraudulent transfer of hundreds of millions of pounds globally.”

The NCA actually quantifies the disruption: users have a two week window to get clean of GOZeus before it becomes active again.

Action taken by the NCA to combat the threat will give the UK public a unique, two-week opportunity to rid and safeguard themselves from two distinct but associated forms of malware known as GOZeuS and CryptoLocker.

it said in a news announcement today. The NCA is recommending that users update their anti-malware defences to protect against future infections, and scan their computers to get rid of any existing infection. It notes,

Individuals in the UK may receive notifications from their Internet Service Providers that they are a victim of this malware and are advised to back up all important information – such as files, photography and videos. Businesses should also test their incident responses and business resilience protocols and work with their IT departments or suppliers to educate employees on the potential threat.

The NCA suggests a quick visit to getsafeonline/nca, where guidance, advice and a number of cleansing tools are available, might be in order.


getsafeonline warning page

The multinational operation is apparently named Operation Tovar and follows the recent multinational operation against the BlackShades malware. The name comes from a McAfee blog that appeared briefly over the weekend and was then quickly removed. McAfee apparently jumped the gun – which will surprise no-one.

In the US, the Tribune Review states

Federal officials from Western Pennsylvania have disrupted worldwide hacking scams that infected hundreds of thousands of personal computers and stole more than $100 million, the Tribune-Review has learned.

It adds,

“A multi-year FBI investigation has revealed that a tightly knit group of cybercriminals based primarily in Russia and Ukraine are responsible for (Gameover Zeus) and Cryptolocker,” FBI agent Elliott Peterson said in a declaration filed with the indictment. “These individuals have deliberately targeted their malicious software at U.S. individuals and companies.”

UPDATE While writing this report, the FBI announcement has arrived.

On June 2, 2014, the Department of Justice and the FBI announced a multinational effort to disrupt the GameOver Zeus botnet, believed to be responsible for the theft of millions of dollars from businesses and consumers in the U.S. and around the world.

Also announced was the unsealing of criminal charges in Pittsburgh and Omaha against alleged botnet administrator Evgeniy Mikhailovich Bogachev of Anapa, Russian Federation.

The FBI announcement indicates that it has been given court authority “to identity the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to Computer Emergency Readiness Teams (CERTs) around the world, as well as to Internet service providers and other private sector parties who are able to assist victims in removing GameOver Zeus from their computers.”

This is perhaps one time that an FBI-initiated contact could be very welcome.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News, News_malware | Tags: , , , , , , ,