Security researchers revealed at the Black Hat security conference that a peer-to-peer botnet has infected more than 675,000 systems, including those at 14 of the top-20 Fortune 500 companies.
The botnet, known as Gameover, uses a private version of the Zeus framework, a collection of software components needed to compromise systems and manage the resulting network of computers.
The operation targets the customers of banks in the United States, Europe and Asia, and demonstrates the complexity of such operations, said Brett Stone-Gross, a researcher with managed security services firm Dell Secureworks, who conducted the research.
“There are definitely a number of newer botnets that are using peer-to-peer and moving away from the centralized control model,” Stone-Gross said. “There is really no infrastructure that law enforcement could go and takedown without backtracking through a number of compromised systems. They have hidden their infrastructure really well.”
The researcher has worked on analysing the botnet since April, and the complex operation of the group behind Gameover.
“The Blackhole kit is not dropping the malware itself,” Stone-Gross said. “Instead, it is dropping a downloader known as Pony, which is interesting in that it is not just a loader, but it steals your HTTP, FTP and e-mail credentials.”
Once Pony installs Zeus on the compromised system, the software establishes a communications channel back to the attackers using peer-to-peer networking, which makes the botnet harder to dismantle, because there are no central command-and-control servers for authorities to shut down.
Infected machines contact a hardcoded list of peers to get updates and commands. While some peer-to-peer botnets have been taken down by poisoning the peer list, it’s not an easy attack path, the researcher said. While he has been researching the botnet, Stone-Gross has seen at least two attempts to disrupt the botnet fail.
The researcher identified 678,205 unique bot IDs belonging to computers using 1.6 million unique IP addresses. Only about 15 percent of the botnet could be contacted from the Internet, Stone-Gross said. The others were likely behind firewalls, routers or proxies, he said.
Like other Zeus variants, the Gameover botnet uses Web injects – a technique for injecting elements into a legitimate Website – to gather critical information from a banking customer that could be used to compromise their account. Nearly 22 percent of the infected computers were located in the United States, while Germany accounted for 7 percent and Italy for another 5 percent.
The sophistication of the operation comes from a great deal of experience in mounting Zeus campaigns, says Stone-Gross.
“There have been a bunch of private versions of Zeus and these guys are pretty much the group behind all these private versions,” the researcher says.
Are you a security pro? Try our quiz!
Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…
Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…
Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…
Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…
Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal
Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…