Operation Tovar: What It Was and How A Key Botnet Was Eliminated
How Heimdal Security took part in the global effort against the Gameover Zeus Botnet and CryptoLocker ransomware
Over the past years, organized malware disruptions have grown in speed and prominence as more and more businesses and law enforcement entities fought together. As HeimdalTM Security has always advocated for building strong connections and working together as a community, throughout the years we’ve been involved in global anti-cyberthreat operations such as the No More Ransom initiative or Operation Tovar to dismantle cybercriminal schemes. As some of you might not know what Operation Tovar was, in this article I will shed some light on this topic and recount the story of how we, alongside many private and public organizations, played our role against the Gameover ZeuS botnet and CryptoLocker ransomware.
What is Operation Tovar?
Operation Tovar made headlines when it was first announced on June 2nd, 2014. It was an international partnership between law enforcement agencies, security companies, and academic researchers against the Gameover ZeuS botnet, which was being used in bank fraud and the dissemination of the CryptoLocker ransomware. The FBI reported that Gameover accounted for financial losses of over $100 million and that after the first two months of CryptoLocker’s distribution, more than $27 million in ransom payments were made.
Who participated in Operation Tovar?
In a press release following the takedown, the US Department of Justice stated who was involved in Operation Tovar, the multi-national action against Gameover Zeus Botnet and Cryptolocker Ransomware, as you can see below.
Law enforcement agencies:
- the US-CERT
- Australian Federal Police
- the National Police of the Netherlands National High-Tech Crime Unit
- European Cybercrime Centre (EC3)
- Germany’s Bundeskriminalamt
- France’s Police Judiciare
- Italy’s Polizia Postale e delle Comunicazioni
- Japan’s National Police Agency
- Luxembourg’s Police Grand Ducale
- New Zealand Police
- the Royal Canadian Mounted Police
- Ukraine’s Ministry of Internal Affairs – Division for Combating Cyber Crime
- the United Kingdom’s National Crime Agency
- the Defense Criminal Investigative Service of the U.S. Department of Defense
Valuable technical assistance was also provided by:
- Dell SecureWorks
- Level 3 Communications
- Anubis Networks
- Heimdal Security
- Trend Micro
- Carnegie Mellon University
- Georgia Institute of Technology (Georgia Tech).
“Gameover Zeus is the most sophisticated botnet the FBI and our allies have ever attempted to disrupt,” said FBI Executive Assistant Director Anderson. “The efforts announced today are a direct result of the effective relationships we have with our partners in the private sector, international law enforcement, and within the U.S. government.”
Who was the target of Operation Tovar?
Evgeniy Mikhailovich Bogachev was the subject of the investigations, being charged by the Department of Justice and wanted by the FBI for his role as the leader of the ZeuS Gameover botnet. Four other suspects were indicted as well. Bogachev (who was using the online nicknames “lucky12345” and “slavik”) is a Russian citizen charged with illegal activities such as bank fraud, money laundering, wire fraud, and conspiracies to violate the Computer Fraud and Abuse Act and the Identity Theft and Assumption Deterrence Act. He was involved in the spread of malicious software known as “Zeus” on the victims’ computers. This type of malware intercepted bank account numbers, passwords, personal identification numbers, and other banking credentials. While Bogachev acted as an administrator, others involved in the scheme distributed spam and phishing emails, which included links to malicious websites. The victims who accessed these URLs were infected with malware that was used by Bogachev and others to extract money from their bank accounts.
How did the takeover take place?
Gameover Zeus was also known as “Peer-to-Peer Zeus,” being a highly sophisticated form of malware created to steal banking and other credentials from its victims. The infected computers also become part of a global botnet, an online tool used by cybercriminals for various malicious purposes. Gameover Zeus first appeared around September 2011 and was the newest version of the Zeus malware that was spotted as early as 2007. The decentralized, P2P structure of GameOver Zeus set it apart from earlier ZeuS variants.
Security researchers estimated that GameOver Zeus infected between 500,000 and 1 million computers around the globe, with about 25% of the enslaved computers being located in the US. Capturing banking credentials from infected computers was this botnet’s main purpose. The Gameover Zeus botnet operated on victims’ devices without their knowledge and directed their traffic to receive commands from other computers in the botnet and to provide cybercriminals with leaked banking credentials.
Through Operation Tovar, court orders enabled “the FBI to find the IP addresses of the victim computers reaching out to the substitute servers and to provide that information to Computer Emergency Readiness Teams (CERTs) around the world, as well as to Internet service providers and other private sector parties” who could help victims remove GameOver Zeus from their PCs. The FBI or law enforcement did not access the contents of any of the victims’ computers during the investigation. Besides the Gameover Zeus disruption operation, another campaign aimed against the ransomware known as CryptoLocker (which began appearing around September 2013) was carried out by the US Justice Department. CryptoLocker used cryptographic key pairs to encrypt its victims’ computer files, who were demanded to pay a ransom of hundreds of dollars to get access to their data. Justice Department Assistant Attorney General Leslie Caldwell stated:
“Over the weekend, more than 300,000 victim computers have been freed from the botnet – and we expect that number to increase as computers are powered on and connected to the internet this week. We have already begun providing victim information to private sector parties who are poised to assist them. I am also pleased to report that, by Saturday, Cryptolocker was no longer functioning and its infrastructure had been effectively dismantled. Through these court-authorized operations, we have started to repair the damage the cyber criminals have caused over the past few years, we are helping victims regain control of their own computers, and we are protecting future potential victims from attack.”
The aftermath: What happened after the Gameover Zeus takedown
Great news followed the global takedown of the Zeus Gameover and Cryptolocker. The number of new infections becomes very low, if not close to zero. But we and other security companies were indicating that attacks could quickly resume once cybercriminals would get a chance to refine their attack techniques and evade detection. HeimdalTM Security had long been tracking the Cryptolocker infections and according to our internal data, there were 8,000 new Cryptolocker daily infections at the end of May 2014. At the same time, over 50,000 new endpoints were being infected and added to the Zeus Gameover botnet every day.
However, as of June 2nd, 2014, we were now tracking close to zero (or merely a few hundred at the highest level) of new infections per day. HeimdalTM Security’s CEO, Morten Kjaersgaard was warning that it would have been nearly impossible to predict when related attacks might recommence. Attackers would need to follow a different approach if they wanted to avoid having their operations quickly knocked offline again by authorities. This operation proved that public sector institutions and IT professionals were beginning to be more prepared than ever to take prompt action.
“Nobody knows. The technology now exists in the market and since it is just like the flu, then it’s only a matter of when someone starts spreading it again,” he said. “It will probably be in a slightly different form though.”
Around two months after Operation Tovar ended, our early predictions matched what actually happened. In late August 2014, experts at HeimdalTM Security were reporting a rise in infections related to Gameover Zeus variants.
“Whether that’s because they’re using the old infrastructure or it’s just a rise in the new variants, we’re not sure,” said Morten Kjaersgaard, who had been closely tracking the success of the Gameover Zeus takedown operation.
However, the good news was that the infection rates were much lower than before the takedown.
“We see this as a move by malware manufacturers, or e-crime organizations so that rather than doing one big piece of malware such as Gameover Zeus, they’re doing several small ones to evade detection.”, added Morten Kjaersgaard.
The Domain Generation Algorithm
P2P techniques were used in the previous version of Gameover Zeus to connect infected PCs to C&C servers, which provided them with instructions and enabled them to intercept data leaks. However, the new variants employed an elaborate domain-generation algorithm, which the malware used to connect to an ever-changing list of malicious servers. This novel variant was now designed to dynamically look up different domain names over time as an evasion method. Prevention tools that were on the market at that time were inefficient against it and thus, it could bypass blacklists.
“One of the reasons that it might be changing to DGA is because […] once the peer-to-peer infrastructure was infiltrated by authorities […] it was relatively easy to see who was infected,” Kjaersgaard explained. “So using a DGA is a different mystery to try to unravel; I wouldn’t say it is more difficult, but it is difficult.”
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
HeimdalTM Security has always guarded its users against the most sophisticated contemporary cyber threats and has been a valued source of threat intelligence for organizations around the world. We are a leading cybersecurity provider and have played our part in key global initiatives against cybercrime such as Operation Tovar alongside the FBI or in Europol’s No More Ransom project.
The difference we make is backed up by our unique product offering. Our DarkLayer Guard™ enables you to hunt, prevent, detect and block threats using the most advanced DNS filtering technology that employs a unique Threat to Process Correlation (TTPC) feature, empowering you to identify users and processes at risk and proactively hunt for DNS threats. What’s more, thanks to the VectorN Detection™ feature, you gain HIPS/HIDS and IOAs/IOCs by using Machine Learning algorithms that detect unknown threats that are not picked up by traditional cybersecurity solutions.
Should you want to experience the complete capabilities of our tools, contact us for a free demo at firstname.lastname@example.org or call us now at +45 7872 3416.
Operation Tovar managed to disrupt a global botnet that stole millions of dollars from businesses and consumers and stop a highly elaborate form of ransomware. The operation’s success was the result of the most innovative cybersecurity tools and expertise combined with law enforcement competence. We believe that projects of this magnitude are feasible only through joint efforts. HeimdalTM Security was honored and proud to be one of the key players in Operation Tovar.