(Corrects spelling of Deloitte in paragraph 14, not Deloite)
By Joseph Menn, Jim Finkle and Aruna Viswanatha
WASHINGTON, June 2 A U.S.-led international
operation disrupted a crime ring that infected hundreds of
thousands of PCs around the globe with malicious software used
for stealing banking credentials and extorting computer owners,
the Justice Department said on Monday.
Authorities in nearly a dozen countries worked with private
security companies to wrest control of the network of infected
machines, known by the name of its master software, Gameover
Court documents released on Monday said that between 500,000
and 1 million machines worldwide were infected with the
malicious software, which was derived from the original "Zeus"
trojan for stealing financial passwords that emerged in 2006.
In addition to stealing from the online accounts of
businesses and consumers, the Gameover Zeus crew installed other
malicious programs, including one called Cryptolocker that
encrypted files and demanded payments for their release.
Cryptolocker alone infected more than 234,000 machines and won
$27 million in ransom payments, the Justice Department said.
The two programs together brought the gang more than $100
million, prosecutors said in court documents, including $198,000
in an unauthorized wire transfer from an unnamed Pennsylvania
materials company and $750 in ransom from a police department in
Massachusetts that had its investigative files encrypted. Other
victims included PNC Bank, Capital One Bank
and others, according to court documents.
"These schemes were highly sophisticated and immensely
lucrative, and the cyber criminals did not make them easy to
reach or disrupt," Leslie Caldwell, who heads the Justice
Department's criminal division, told a news conference.
The Gameover Zeus "botnet" - short for robot network - is
the largest so far disrupted that relied on a peer-to-peer
distribution method, where thousands of computers could reinfect
and update each other, said Dell expert Brett Stone-Gross, who
assisted the FBI.
"We took control of the bots, so they would only talk with
our infrastructure," Stone-Gross said.
A civil suit in Pennsylvania helped authorities get court
orders to seize parts of the infected network, and on May 7,
Ukrainian authorities seized and copied Gameover Zeus command
servers in Kiev and Donetsk, officials said. U.S. and other
agents worked from early Friday through the weekend to seize
servers around the world, freeing some 300,000 victim computers
from the botnet so far.
A criminal complaint unsealed today in Nebraska, meanwhile,
accused Russian Evgeniy Mikhaylovich Bogachev and others of
participating in the conspiracy.
U.S. officials said Bogachev was last known to be living in
the Black Sea resort town of Anapa. In an FBI affidavit filed in
the Nebraska case, an agent cited online chats in which aliases
associated with Bogachev claimed authorship of the original Zeus
trojan, which has infected more than 13 million computers and is
blamed for hundreds of millions of dollars in losses.
"That's what he claimed. There were probably a number of
people involved," said Dmitri Alperovitch, co-founder of
security firm CrowdStrike, which also worked with the FBI. A
person familiar with the case said that Bogachev's ICQ number,
which is an assigned Internet chat query identifier, matched
that of the known Zeus author.
Attempts to reach Bogachev were unsuccessful. FBI and
Justice Department officials did not immediately respond to
questions about Bogachev's alleged past role with Zeus, one of
the most pernicious pieces of software ever developed. Zeus's
code has since been publicly released, and many variants are
still being used by gangs large and small.
"Zeus is probably the most prolific and effective piece of
malware discovered since 2006," said Lance James, head of
cyber-intelligence at consultancy Deloitte & Touche, which also
Russia does not extradite accused criminals to other
countries, so Bogachev may never be arrested. He was named as
part of a new policy on aggressively exposing even those the
United States has little hope of catching. The recent crackdown
includes the indictment of five members of China's People's
Liberation Army for alleged economic espionage, which prompted
denials and an angry response from Chinese authorities.
"This is the new normal," Robert Anderson, the top FBI
official in charge of combating cyber crime said at a news
conference announcing the Russian action.
When asked whether Russian authorities would turn Bogachev
over to the U.S., Deputy Attorney General James Cole said "as
far as Russia, we are in contact with them and we've been having
discussions with them about moving forward and about trying to
get custody of Mr. Bogachev," but declined to provide further
detail of those talks.
The shutdown of Gameover Zeus may not last. Other botnets
have resurfaced as criminals regained at least partial control
of their networks. Officials at the United Kingdom's National
Crime Agency said in an "urgent warning" that users might have
only two weeks to clean their computers from traces of the
infection. They directed users to www.getsafeonline.org/nca,
which was intermittently available late Monday.
The U.S. Department of Homeland Security set up a website to
help victims remove the malware, www.us-cert.gov/gameoverzeus.
The European Cybercrime Centre also participated in the
operation, along with Australia, Canada, France, Germany, Italy,
Japan, Luxembourg, New Zealand, Ukraine.
Intel Corp, Microsoft Corp, security
software companies F-Secure, Symantec Corp,
and Trend Micro ; and Carnegie Mellon University
supported the operation.
(Additional reporting by Julie Edwards and Alina Selyukh;
Editing by Jonathan Oatis and Ken Wills)