How the FBI Took Down the Botnet Designed to Be ‘Impossible’ to Take Down

The feds and their partners share details of the operation that took down GameOver Zeus.

|
Aug 12 2015, 11:00am

Image: mrgarethm/Flickr

Before its spectacular bust, GameOver Zeus, perhaps the most successful online criminal operation ever, infected hundreds of thousands of people around the world, creating a collection of zombie computers that at one point stretched to more than one million bots.

The operators used the botnet to steal millions of dollars from banks all over the globe. For more than two years, thanks to its innovative, peer-to-peer infrastructure, the FBI and others watched as GameOver Zeus grew, seemingly unstoppable.

GameOver Zeus was designed to be "impossible" to be taken down, as the main FBI agent assigned to the case put it last week during a talk at the Black Hat security conference in Las Vegas. The botnet was built to be "indestructible," said a researcher who helped with the investigation.

GameOver Zeus was designed to be "impossible" to be taken down.

So how did it end up being taken down? Elliot Peterson, the agent that led the FBI's investigation, talked to Motherboard ahead of his presentation in Las Vegas, and shared some of the details that allowed the bureau, along with its private partners, to do what seemed impossible.

Everything started on June 2012, when the FBI's branch in Pittsburgh stumbled upon a case of a small business hit by GameOver Zeus. At that point, the FBI was playing catch up, and decided to work together with security firms and researchers in a coordinated operation to build a team of around ten technical experts.

At the end of 2012, the group realized that they could do much more than just go after the people behind GameOver Zeus. They realized they could "go after the botnet itself," Peterson said.

But it wasn't easy. It still took them more than a year to put all the pieces in place. As Michael Sandee, a malware expert at Fox-IT, who also worked on the investigation, told me in an email, "having patience was our biggest challenge."

The plan was to quickly and quietly take full control of the botnet, with the goal of cleaning up the infected computers, some of which had their files locked by the ransomware Cryptolocker. The FBI and its partners wanted to avoid tipping off the criminals behind GameOver to the operation because they could destroy evidence as soon as they realized the FBI was trying to take over the botnet. So they had to have all the ducks in a row before the online raid, and move fast once they launched it.

In the months leading to the takeover, the FBI and its allies held weekly conference calls, sharing details and planning the operation. At times, they'd use encrypted emails or encrypted instant messages to keep their plans secure, "but there's always a balance between perfect [operational security] and time," Peterson said.

Eventually, the whole operation was launched on Friday, May 30. The FBI introduced its own peers inside the botnet to "turn the distributed peer-to-peer network back into a centralized one," said Tillmann Werner, a researcher from Crowdstrike, who was also involved in the operation.

To prevent the operators of GameOver Zeus from using the botnet's command and control machines to mitigate this attack, internet service providers gave the investigators control over the proxy nodes used by the criminals to connect the command and control to the botnet. At that point, the bots started connecting to the proxies controlled by the FBI, and it was effectively game over.

A schematic reproducing the infrastructure of the GameOver Zeus botnet. (Image: Black Hat slides.)

"We were able to convince the bots that we were good to talk to, but all of the peers and proxies and supernodes controlled by the bad guys were bad to talk to and should be ignored," Peterson said, adding that the just needed control of less than ten nodes in the botnet to pull this off.

The leader of GameOver Zeus, Evgeniy Bogachev (also known as Slavik), found out that the operation was going down within an hour of its launch, and tried to regain control of the botnet for "a tense couple of hours," Peterson said.

"Our team basically fought it out with him online to take control of the botnet," he said.

"Our team basically fought it out with Bogachev online to take control of the botnet."

But eventually, after "four or five" hours, and thanks to all the preparation that went into the operation, Bogachev "didn't have a chance," Peterson said.

The FBI and its allies had full control of the botnet.

Two days later, the FBI announced that it had taken over GameOver Zeus, and put a $3 million prize on the head of Bogachev. When the FBI took it over, the botnet was formed by around 300,000 infected computers, according to Peterson. More than a year later, thanks to the FBI and the security firms who helped clean up victim's computers, removing them from the botnet, there are only around 30,000.

While Bogachev remains at large, the takeover, dubbed "Operation Tovar," was a success.

"We absolutely can disrupt these operations," Peterson said. "But it can only be done in concert with private industry, law enforcement, and international partners all working together at one time."