Operation Tovar: Dell SecureWorks Contributes to Efforts Targeting Gameover Zeus and CryptoLockerBy: Jeff Williams
Dell SecureWorks partnered with international law enforcement and industry to take proactive action against the infrastructure of the Gameover Zeus botnet and the CryptoLocker ransomware, as well as the operators responsible for these threats. This action has been named Operation Tovar. Law enforcement organizations including the Federal Bureau of Investigation (FBI), the UK's National Crime Agency, and Europol's European Cybercrime Center (EC3) seized infrastructure assets relating to these threats, while technical measures were enacted to neutralize the command and control (C2) infrastructure.
The Gameover Zeus botnet, also known as Peer-to-Peer (P2P) Zeus, is responsible for tens of millions of dollars in financial fraud and has compromised as many as one million computers. Gameover Zeus is the most recent variant of the Zeus malware, which Dell SecureWorks Counter Threat Unit™ researchers discovered in 2007. After compromising a system, the malware watches for login and banking credentials and transmits them to the botnet operators. The botnet operators then use the information to extract money from the targeted accounts. Gameover Zeus has also been involved in the delivery of other malware families such as CryptoLocker and in distributed denial of service (DDoS) attacks. CryptoLocker encrypts documents on the targeted system's hard drive, and the threat actors attempt to extort money in exchange for the decryption key. More than 200,000 computers have been infected with CryptoLocker.
Previous takedown efforts have targeted earlier versions of Zeus, but the Gameover Zeus variant is more complex and uses a P2P infrastructure for its primary C2 mechanism. Operation Tovar used technical measures to redirect compromised systems to a sinkhole that prevents the operators from maintaining control of the systems.
The next stage of this operation is the remediation of compromised systems. With the key C2 nodes under FBI control, the IP addresses of infected systems checking in with that infrastructure will be shared with Internet service providers (ISPs), computer security incident response teams (CSIRTs), and other response organizations in an attempt to eradicate these infections. Multiple antivirus (AV) vendors have tools to remove these threats. US-CERT has published remediation guidance for users.
Work of this scale is only possible through collaboration. Operation Tovar involved law enforcement organizations around the world, security industry partners, ISPs, US-CERT, and members of the academic communities at Georgia Institute of Technology and Carnegie Mellon University. Dell SecureWorks is privileged to work with other organizations that are committed to improving the safety of the Internet.