Malware Overview - ZeuS
Note: This is a reupload of my writeup of the history of the ZeuS malware from my original website.
INTRODUCTION:
Image Source: https://www.bankinfosecurity.com/zeus-banking-trojan-spawn-alive-kicking-a-10471
When discussing the history of malware, you are more than likely going to hear the same few names over and over again. Conficker, Welchia, ILOVEYOU, Stuxnet, Flame, CryptoLocker, Dridex, and even newer malware like WannaCrypt0r, Emotet, and Maze.
What is left behind but stands atop the lesser remembered malware of the last fifteen years in particular is the ZeuS or Zbot Trojan and its successor, the Gameover ZeuS Trojan. This will be a historical summary of the ZeuS and Gameover ZeuS Trojans, beginning from its initial discovery and ending in the current year.
I will be using a variety of sources for my analysis. This is NOT a technical analysis of the malware, simply a historical account. I plan on writing a full technical analysis of the ZeuS and Gameover ZeuS Trojans in the future to compliment this historical analysis, so stay tuned.
My reasons for making this my first historical writeup boil down to the fact that ZeuS, specifically Gameover ZeuS, was everywhere in the news I first started getting into security back in 2014. For that reason, it has always been something that has stuck with me and made me want to write about it.
HISTORICAL SUMMARY:
The ZeuS Trojan was first identified in July 2007 when it was used to infect computers owned by the U.S. Department of Transportation, along with consulting firm Booz Allen, IT company Unisys, Hewlett-Packard, and satellite network provider Hughes Network Systems. According to the initial article published by Reuters in July 2007, only Unisys was able to confidently claim that there was no successful exfiltration of proprietary information. [1]
According to the same article from Reuters, the initial vector of infection appeared to result from “fake job-listings on advertisements” and phishing emails. The article also states that the spread of the infection was deliberate, only targeting a select group of computers in order to maintain its foothold in the network and avoid detection. [1]
According to Securelist, in October of 2007, the number of ZeuS variants began to grow because cyber criminals not associated with the original creator of the Trojan were able to get their hands on the malware’s constructor. Modifications were made to the source code in order to avoid AV signatures, and in May 2009 alone ZeuS reached its peak in terms of the number of variants with 5079. In total since the creation of the original ZeuS Trojan there have been over 40,000 variants detected. According to the same article from Securelist, in 2009 it was reported that there were 3.6 million computers infected with the ZeuS Trojan in the United States alone. [2]
In June 2009, it was reported by TheTechHerald that ZeuS was responsible for amassing a stockpile of over 70,000 FTP credentials. Those credentials included accounts associated with NASA, ABC, Oracle, Cisco, Amazon, Bank of America, Symantec, McAfee, Kaspersky, and others. These were collected as a result of the ZeuS Trojan’s primary function, to steal information stored on the victim’s machine. According to the same article, it appears that one method of infection was of course, phishing. Phishing emails claiming to offer critical updates for Microsoft Outlook pointed the user to a malicious site which prompted the user to download an .exe file which usually ended up being a variant of the ZeuS Trojan. [3]
Again in 2009, after a large amount of dubious electronic payments from various banks over the world, the FBI became involved with the spread of the ZeuS Trojan. The FBI operation, referred to as “Operation Trident Breach” discovered victims not previously known to anyone, including “Franciscan nuns in Chicago” and various others. [4]
According to an article from KrebsonSecurity from October of 2010, authorities in Ukraine in cooperation with the FBI, arrested five people believed to be associated with the ZeuS Trojan. The FBI believed the suspects to be the real masterminds behind the ZeuS malware creation and distribution. The FBI claimed that 3,500 “money mules” were enlisted by the cyber criminals to forward stolen funds to them back in Ukraine. It was also reported by authorities in the UK that 11 Eastern European men were charged with recruiting and managing money mules in the UK. A few days later, it was announced by authorities in New York that 39 money mules were arrested, and 92 others charged, including “dozens of Russians who allegedly acted as mules while visiting the United States on student visas”. [5]
Image source: https://krebsonsecurity.com/2010/10/ukraine-detains-5-individuals-tied-to-70-million-in-ebanking-heists/
In a BBC article also from October 2010, it was reported that the FBI claimed that the ZeuS operation was able to successfully steal around 70 million dollars. The FBI also claimed that the attackers attempted to steal over 220 million dollars, however it is not clear what prevented the attackers from accomplishing this, other than what can be assumed to be a lack of infections, rogue money mules, or accidental spillage. [6]
In late October 2010, an article from Reuters reported that a man claiming to be the original author of the ZeuS Trojan publicly announced his retirement from the world of cybercrime. It appeared that the original author’s method of making money was not to engage in the spread and distribution of the malware himself, but to simply sell the malware to other criminals at various prices and act as technical support when needed. [7]
According to Don Jackson who was at the time the Director of Threat Intelligence at Dell SecureWorks, the original author of the ZeuS Trojan claimed that he would be handing over ZeuS source code to the author of the SpyEye Trojan, a newer strain of malware similar to ZeuS. Don Jackson believed the retirement to be a ruse by the author made in attempt to avoid further attention by authorities after the arrests made the previous month. [7]
Since 2007, the spread of the ZeuS Trojan’s many variants resulted in botnets comprising of thousands of computers. In February 2010, according to an article in PCWorld, the security company NetWitness discovered the “Kneber botnet” which comprised of more than 74000 infected computers. The Kneber botnet was verified to be a botnet comprised of hosts infected with variants of the ZeuS Trojan. It was reported by NetWitness that the botnet consisted of hosts in 196 countries, with the majority running Windows XP. [8]
Image source: https://www.zdnet.com/article/the-kneber-botnet-faq/
In May 2011, according to a research report from Dell SecureWorks, the source code of the original ZeuS Trojan was publicly leaked, which resulted in the creation of two new strains of Trojans, ICE IX and Citadel. Around the same time, a new botnet spawned, referred to as ‘P2P ZeuS’ or ‘Gameover ZeuS’ named because of a very early version of the malware that contained the word “gameover” in the HTTP POST requests to its C2 server. [9]
The newer strains of the Gameover ZeuS botnet replaced it’s C2 capabilities with something else, as you probably have already guessed, an encrypted peer-to-peer network. This allowed the botnet masters to avoid the problem that comes with managing a botnet that relies on C2 servers, that being potential single points of failure. The P2P system of the GameOver ZeuS botnet allowed it to avoid shutdown by law enforcement for years. The P2P system used a tiered and decentralized configuration that utilized intermediary proxies which prevented law enforcement from discovering the C2 servers. The Gameover ZeuS Trojan was also fitted with a backup DGA (Domain Generation Algorithm) capability in the event a bot was unable to reach out to another bot on the network. It was reported by Dell SecureWorks that the Trojan was spread using Cutwail, which at the time was a prolific email spam botnet. [9]
In a 2013 article from KrebsonSecurity, it was reported that in 2012, a distributed denial-of-service attack was launched against the regional California financial institution Bank of the West. This was done in order to mask the theft of hundreds of thousands of dollars from corporate financial accounts belonging to Ascent Builders, a construction company in Sacramento California. Because of the nature of the crime, the criminals behind the Gameover ZeuS decided to essentially cut off the victim’s ability to verify it had been robbed. According to Mark Shope who was the president of Ascent Builders at the time, the company’s controller attempted to access the bank’s portal but was unable to due to the fact that unknown to her, her computer was already infected with the Gameover ZeuS Trojan which was actively preventing her from accessing the site. [10]
At this point, the Gameover ZeuS Trojan was already considered the spiritual successor to the original ZeuS Trojan. Alongside simply attempting to steal financial information from victims, it began distributing the now famous ransomware strain known as CryptoLocker. According to an article from Broadcom in 2014 which describes the use of CryptoLocker by the Gameover ZeuS Trojan, the ransomware was described as “one of the most dangerous variants of the ransomware in circulation, since it employs strong encryption that cannot be broken”. The article also describes the vector of infection, which was generally a simple spam email which enticed the recipient into downloading and opening an attached .zip archive, which if opened, would prompt the user to run an executable disguised as an invoice or report. [11]
In June 2014, it was announced by the U.S. Justice Department in a report that authorities in multiple countries were currently engaged in an attempt to disrupt the botnet, which according to their estimate, numbered anywhere from 500,000 to 1 million computers. An indictment against the botnet’s supposed administrator, Evgeniy Mikhailovich Bogachev, a Russian national, was also announced. [12]
Image source: https://www.cnn.com/2015/02/24/politics/russian-cyber-criminal-reward/
Also included in the announcement from the U.S. Justice Department, were the actions taken to disrupt the Gameover ZeuS botnet. From the report, “the United States obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers established pursuant to court order”. The report also describes actions taken by the FBI to obtain the IP addresses of the infected computers in order to provide them to US-CERT and to the CERT of other nations in order to assist victims in the removal of the malware. [12]
Although the U.S. Justice Department, the FBI, and various others were able to wrestle away most of the hosts on the Gameover ZeuS P2P network, most researchers did not expect the botnet masters to be gone for long. In an article originally published by Malcovery, now absorbed into Cofense, it was reported that the Gameover ZeuS Trojan had finally mutated. The analysts intercepted spam claiming to have been sent various financial institutions and other businesses. All the emails included a .zip attachment with a malicious payload that attempted to contact various websites resulting from the DGA capability of the malware. [13]
In December 2014, the FBI reported on a strain of the ZeuS Trojan targeting mobile devices, referred to as “ZeuS-in-the-middle” which targeted Android users with malicious apps and phishing emails. [14]
In February 2015, the FBI and U.S. State Department announced a $3 million dollar reward for information leading to the arrest of Bogachev, the highest ever reward for a cybercriminal at the time. [15] [16]
According to an article from Cybereason in 2015, the FBI, in cooperation with the Supreme Court, was able to issue warrants to every company supervising the primary TLDs that the ZeuS variant’s DGA used. This allowed the FBI to attempt to register the potential domain names in advance in order to prevent further activity from the botnet. However, because one of the TLDs, .ru, is not based in the United States, the FBI was unable to get Russian law enforcement to cooperate in its investigation, which eventually prevented the FBI from being able to register any .ru domains in advance, allowing the criminals to continue their activities. [17]
In June 2020, the ZeuS malware and its variants have for the most part died out. If you dig deep enough, you might come across a ZeuS infection on a machine running Windows XP, 7, or 8, but for the most part it has been replaced with more advanced banking Trojans like Emotet, developed to target users on newer OSes, mostly Windows 10 & 7. It appears that Operation Tovar, the name given to the FBI’s takedown of the Gameover ZeuS P2P network, was the nail in the coffin for the Gameover ZeuS botnet.
Image source: https://threatpost.com/banking-trojans-top-threat-email/141814/
Other variants of the Gameover ZeuS Trojan appeared later in 2014 and in 2015, however none were believed to be controlled by Bogachev or the original creators nor were they ever as successful or as significant as the P2P Gameover ZeuS botnet. Instead, researchers believed the newer strains were distributed and controlled by various other criminal actors that instead used the standard DGA techniques for C2 communication. Sphinx is one such variant that exists today and that is loosely based on the source code of the original GameOver ZeuS Trojan. [18]
CONCLUSION:
The ZeuS and Gameover ZeuS Trojans, along with their countless variants, were among the most prolific strains of malware seen in the last fifteen years. Millions of computers from all over the world were at one point infected with a variant of the malware. Tens of millions of dollars were stolen from various individuals and institutions, utilizing a myriad of techniques to accomplish its various tasks.
While the continued use of ZeuS variants by cybercriminals in the modern era remains to be seen, what can be clearly seen is the mark that the ZeuS malware has left and continues to leave on the information security field, 13 years after its initial discovery back in 2007.
SOURCES:
https://www.reuters.com/article/us-internet-attack/hackers-steal-u-s-government-corporate-data-from-pcs-idUSN1638118020070717
https://securelist.com/zeus-on-the-hunt/36289/
https://web.archive.org/web/20090903140542/http://www.thetechherald.com/article.php/200927/3960/ZBot-data-dump-discovered-with-over-74-000-FTP-credentials
https://www.bloomberg.com/news/features/2015-06-18/the-hunt-for-the-financial-industry-s-most-wanted-hacker
https://krebsonsecurity.com/2010/10/ukraine-detains-5-individuals-tied-to-70-million-in-ebanking-heists/
https://www.bbc.com/news/world-us-canada-11457611
https://www.reuters.com/article/us-hackers-zeus/analysis-top-hacker-retires-experts-brace-for-his-return-idUSTRE69S54Q20101029
https://www.pcworld.com/article/189717/Kneber_Botnet_Attacks_75000_PCs_Worldwide.html
https://www.secureworks.com/research/the-lifecycle-of-peer-to-peer-gameover-zeus
https://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5a0ee571-2b14-4e02-8ff7-2c32e9227669&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware
https://cofense.com/breaking-gameover-zeus-mutates-launches-attacks/
https://www.fbi.gov/news/testimony/cyber-security-enhancing-coordination-to-protect-the-financial-sector
https://www.cnn.com/2015/02/24/politics/russian-cyber-criminal-reward/
https://gizmodo.com/the-worlds-most-wanted-hacker-sounds-like-a-goddamn-jam-1793211745
https://www.cybereason.com/blog/the-fbi-vs-gameover-zeus-why-the-dga-based-botnet-wins
https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/
HISTORICAL SUMMARY:
The ZeuS Trojan was first identified in July 2007 when it was used to infect computers owned by the U.S. Department of Transportation, along with consulting firm Booz Allen, IT company Unisys, Hewlett-Packard, and satellite network provider Hughes Network Systems. According to the initial article published by Reuters in July 2007, only Unisys was able to confidently claim that there was no successful exfiltration of proprietary information. [1]
According to the same article from Reuters, the initial vector of infection appeared to result from “fake job-listings on advertisements” and phishing emails. The article also states that the spread of the infection was deliberate, only targeting a select group of computers in order to maintain its foothold in the network and avoid detection. [1]
According to Securelist, in October of 2007, the number of ZeuS variants began to grow because cyber criminals not associated with the original creator of the Trojan were able to get their hands on the malware’s constructor. Modifications were made to the source code in order to avoid AV signatures, and in May 2009 alone ZeuS reached its peak in terms of the number of variants with 5079. In total since the creation of the original ZeuS Trojan there have been over 40,000 variants detected. According to the same article from Securelist, in 2009 it was reported that there were 3.6 million computers infected with the ZeuS Trojan in the United States alone. [2]
In June 2009, it was reported by TheTechHerald that ZeuS was responsible for amassing a stockpile of over 70,000 FTP credentials. Those credentials included accounts associated with NASA, ABC, Oracle, Cisco, Amazon, Bank of America, Symantec, McAfee, Kaspersky, and others. These were collected as a result of the ZeuS Trojan’s primary function, to steal information stored on the victim’s machine. According to the same article, it appears that one method of infection was of course, phishing. Phishing emails claiming to offer critical updates for Microsoft Outlook pointed the user to a malicious site which prompted the user to download an .exe file which usually ended up being a variant of the ZeuS Trojan. [3]
Again in 2009, after a large amount of dubious electronic payments from various banks over the world, the FBI became involved with the spread of the ZeuS Trojan. The FBI operation, referred to as “Operation Trident Breach” discovered victims not previously known to anyone, including “Franciscan nuns in Chicago” and various others. [4]
According to an article from KrebsonSecurity from October of 2010, authorities in Ukraine in cooperation with the FBI, arrested five people believed to be associated with the ZeuS Trojan. The FBI believed the suspects to be the real masterminds behind the ZeuS malware creation and distribution. The FBI claimed that 3,500 “money mules” were enlisted by the cyber criminals to forward stolen funds to them back in Ukraine. It was also reported by authorities in the UK that 11 Eastern European men were charged with recruiting and managing money mules in the UK. A few days later, it was announced by authorities in New York that 39 money mules were arrested, and 92 others charged, including “dozens of Russians who allegedly acted as mules while visiting the United States on student visas”. [5]
Image source: https://krebsonsecurity.com/2010/10/ukraine-detains-5-individuals-tied-to-70-million-in-ebanking-heists/
In a BBC article also from October 2010, it was reported that the FBI claimed that the ZeuS operation was able to successfully steal around 70 million dollars. The FBI also claimed that the attackers attempted to steal over 220 million dollars, however it is not clear what prevented the attackers from accomplishing this, other than what can be assumed to be a lack of infections, rogue money mules, or accidental spillage. [6]
In late October 2010, an article from Reuters reported that a man claiming to be the original author of the ZeuS Trojan publicly announced his retirement from the world of cybercrime. It appeared that the original author’s method of making money was not to engage in the spread and distribution of the malware himself, but to simply sell the malware to other criminals at various prices and act as technical support when needed. [7]
According to Don Jackson who was at the time the Director of Threat Intelligence at Dell SecureWorks, the original author of the ZeuS Trojan claimed that he would be handing over ZeuS source code to the author of the SpyEye Trojan, a newer strain of malware similar to ZeuS. Don Jackson believed the retirement to be a ruse by the author made in attempt to avoid further attention by authorities after the arrests made the previous month. [7]
Since 2007, the spread of the ZeuS Trojan’s many variants resulted in botnets comprising of thousands of computers. In February 2010, according to an article in PCWorld, the security company NetWitness discovered the “Kneber botnet” which comprised of more than 74000 infected computers. The Kneber botnet was verified to be a botnet comprised of hosts infected with variants of the ZeuS Trojan. It was reported by NetWitness that the botnet consisted of hosts in 196 countries, with the majority running Windows XP. [8]
Image source: https://www.zdnet.com/article/the-kneber-botnet-faq/
In May 2011, according to a research report from Dell SecureWorks, the source code of the original ZeuS Trojan was publicly leaked, which resulted in the creation of two new strains of Trojans, ICE IX and Citadel. Around the same time, a new botnet spawned, referred to as ‘P2P ZeuS’ or ‘Gameover ZeuS’ named because of a very early version of the malware that contained the word “gameover” in the HTTP POST requests to its C2 server. [9]
The newer strains of the Gameover ZeuS botnet replaced it’s C2 capabilities with something else, as you probably have already guessed, an encrypted peer-to-peer network. This allowed the botnet masters to avoid the problem that comes with managing a botnet that relies on C2 servers, that being potential single points of failure. The P2P system of the GameOver ZeuS botnet allowed it to avoid shutdown by law enforcement for years. The P2P system used a tiered and decentralized configuration that utilized intermediary proxies which prevented law enforcement from discovering the C2 servers. The Gameover ZeuS Trojan was also fitted with a backup DGA (Domain Generation Algorithm) capability in the event a bot was unable to reach out to another bot on the network. It was reported by Dell SecureWorks that the Trojan was spread using Cutwail, which at the time was a prolific email spam botnet. [9]
In a 2013 article from KrebsonSecurity, it was reported that in 2012, a distributed denial-of-service attack was launched against the regional California financial institution Bank of the West. This was done in order to mask the theft of hundreds of thousands of dollars from corporate financial accounts belonging to Ascent Builders, a construction company in Sacramento California. Because of the nature of the crime, the criminals behind the Gameover ZeuS decided to essentially cut off the victim’s ability to verify it had been robbed. According to Mark Shope who was the president of Ascent Builders at the time, the company’s controller attempted to access the bank’s portal but was unable to due to the fact that unknown to her, her computer was already infected with the Gameover ZeuS Trojan which was actively preventing her from accessing the site. [10]
At this point, the Gameover ZeuS Trojan was already considered the spiritual successor to the original ZeuS Trojan. Alongside simply attempting to steal financial information from victims, it began distributing the now famous ransomware strain known as CryptoLocker. According to an article from Broadcom in 2014 which describes the use of CryptoLocker by the Gameover ZeuS Trojan, the ransomware was described as “one of the most dangerous variants of the ransomware in circulation, since it employs strong encryption that cannot be broken”. The article also describes the vector of infection, which was generally a simple spam email which enticed the recipient into downloading and opening an attached .zip archive, which if opened, would prompt the user to run an executable disguised as an invoice or report. [11]
In June 2014, it was announced by the U.S. Justice Department in a report that authorities in multiple countries were currently engaged in an attempt to disrupt the botnet, which according to their estimate, numbered anywhere from 500,000 to 1 million computers. An indictment against the botnet’s supposed administrator, Evgeniy Mikhailovich Bogachev, a Russian national, was also announced. [12]
Image source: https://www.cnn.com/2015/02/24/politics/russian-cyber-criminal-reward/
Also included in the announcement from the U.S. Justice Department, were the actions taken to disrupt the Gameover ZeuS botnet. From the report, “the United States obtained civil and criminal court orders in federal court in Pittsburgh authorizing measures to redirect the automated requests by victim computers for additional instructions away from the criminal operators to substitute servers established pursuant to court order”. The report also describes actions taken by the FBI to obtain the IP addresses of the infected computers in order to provide them to US-CERT and to the CERT of other nations in order to assist victims in the removal of the malware. [12]
Although the U.S. Justice Department, the FBI, and various others were able to wrestle away most of the hosts on the Gameover ZeuS P2P network, most researchers did not expect the botnet masters to be gone for long. In an article originally published by Malcovery, now absorbed into Cofense, it was reported that the Gameover ZeuS Trojan had finally mutated. The analysts intercepted spam claiming to have been sent various financial institutions and other businesses. All the emails included a .zip attachment with a malicious payload that attempted to contact various websites resulting from the DGA capability of the malware. [13]
In December 2014, the FBI reported on a strain of the ZeuS Trojan targeting mobile devices, referred to as “ZeuS-in-the-middle” which targeted Android users with malicious apps and phishing emails. [14]
In February 2015, the FBI and U.S. State Department announced a $3 million dollar reward for information leading to the arrest of Bogachev, the highest ever reward for a cybercriminal at the time. [15] [16]
According to an article from Cybereason in 2015, the FBI, in cooperation with the Supreme Court, was able to issue warrants to every company supervising the primary TLDs that the ZeuS variant’s DGA used. This allowed the FBI to attempt to register the potential domain names in advance in order to prevent further activity from the botnet. However, because one of the TLDs, .ru, is not based in the United States, the FBI was unable to get Russian law enforcement to cooperate in its investigation, which eventually prevented the FBI from being able to register any .ru domains in advance, allowing the criminals to continue their activities. [17]
In June 2020, the ZeuS malware and its variants have for the most part died out. If you dig deep enough, you might come across a ZeuS infection on a machine running Windows XP, 7, or 8, but for the most part it has been replaced with more advanced banking Trojans like Emotet, developed to target users on newer OSes, mostly Windows 10 & 7. It appears that Operation Tovar, the name given to the FBI’s takedown of the Gameover ZeuS P2P network, was the nail in the coffin for the Gameover ZeuS botnet.
Image source: https://threatpost.com/banking-trojans-top-threat-email/141814/
Other variants of the Gameover ZeuS Trojan appeared later in 2014 and in 2015, however none were believed to be controlled by Bogachev or the original creators nor were they ever as successful or as significant as the P2P Gameover ZeuS botnet. Instead, researchers believed the newer strains were distributed and controlled by various other criminal actors that instead used the standard DGA techniques for C2 communication. Sphinx is one such variant that exists today and that is loosely based on the source code of the original GameOver ZeuS Trojan. [18]
CONCLUSION:
The ZeuS and Gameover ZeuS Trojans, along with their countless variants, were among the most prolific strains of malware seen in the last fifteen years. Millions of computers from all over the world were at one point infected with a variant of the malware. Tens of millions of dollars were stolen from various individuals and institutions, utilizing a myriad of techniques to accomplish its various tasks.
While the continued use of ZeuS variants by cybercriminals in the modern era remains to be seen, what can be clearly seen is the mark that the ZeuS malware has left and continues to leave on the information security field, 13 years after its initial discovery back in 2007.
SOURCES:
https://www.reuters.com/article/us-internet-attack/hackers-steal-u-s-government-corporate-data-from-pcs-idUSN1638118020070717
https://securelist.com/zeus-on-the-hunt/36289/
https://web.archive.org/web/20090903140542/http://www.thetechherald.com/article.php/200927/3960/ZBot-data-dump-discovered-with-over-74-000-FTP-credentials
https://www.bloomberg.com/news/features/2015-06-18/the-hunt-for-the-financial-industry-s-most-wanted-hacker
https://krebsonsecurity.com/2010/10/ukraine-detains-5-individuals-tied-to-70-million-in-ebanking-heists/
https://www.bbc.com/news/world-us-canada-11457611
https://www.reuters.com/article/us-hackers-zeus/analysis-top-hacker-retires-experts-brace-for-his-return-idUSTRE69S54Q20101029
https://www.pcworld.com/article/189717/Kneber_Botnet_Attacks_75000_PCs_Worldwide.html
https://www.secureworks.com/research/the-lifecycle-of-peer-to-peer-gameover-zeus
https://krebsonsecurity.com/2013/02/ddos-attack-on-bank-hid-900000-cyberheist/
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5a0ee571-2b14-4e02-8ff7-2c32e9227669&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware
https://cofense.com/breaking-gameover-zeus-mutates-launches-attacks/
https://www.fbi.gov/news/testimony/cyber-security-enhancing-coordination-to-protect-the-financial-sector
https://www.cnn.com/2015/02/24/politics/russian-cyber-criminal-reward/
https://gizmodo.com/the-worlds-most-wanted-hacker-sounds-like-a-goddamn-jam-1793211745
https://www.cybereason.com/blog/the-fbi-vs-gameover-zeus-why-the-dga-based-botnet-wins
https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/
Comments
Post a Comment