A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23024  by wacked2
 Mon Jun 02, 2014 9:12 pm
http://www.justice.gov/opa/documents/dg ... ration.pdf tells how they got him. Atleast partly.
Supposedly monstr was already included in Microsoft Corp. v. John Does 1-39 Civil Case No. 12-01335 - what were the charges/were they the same as now?
Because to me it seems strange that CODING (neither for the original nor GameOver) appears as charge.
 #23028  by EP_X0FF
 Tue Jun 03, 2014 6:07 am
I do not want to defend him or cast doubt on the results of the their investigation but if this guy is not complete idiot to travel anywhere then FBI can go fuck yourself. RF will not extradite this guy, not even if it will be arrested at homeland.
 #23034  by Aysun
 Tue Jun 03, 2014 9:10 pm
One thing I do not understand. If the original Zeus author is responsible for GOZ. How were they stealing from all these banks? I don't see them using any webinjects nor updated the form grabbing modules which only work on older browsers?
 #23041  by tohitsugu
 Wed Jun 04, 2014 5:01 pm
FBI have been looking for severa for years. It will be interesting to see how this plays out - somehow I do not see him being extradited to the USA. I'm sure he's made some friends with some major criminal organizations.
 #23343  by Peter Kleissner
 Fri Jul 11, 2014 9:05 pm
Thought I share my knowledge:

ZeuS Gameover 1 appeared in the wild in September 2011. It already had a DGA and the p2p algorithm. This version was not affected by the takedown by FBI & friends from May 2014. Yesterday it had still 1.169 infections (source: Virus Tracker).

ZeuS Gameover 2 was released in July 2012 after I published here (a few posts up) the DGA - the criminals changed it. In version 2 they also slightly changed some P2P commands and advanced it (secured it against crawling/disruption). It had at peak over 140.000 unique infections per day. The FBI & Europol takedown was about disrupting the P2P botnet (together with vu.nl and other researchers), taking down existing C&Cs and seizing all DGA domains (I have heard until 2017?). The DGA generates 1000 domains per week, all now pointing to a FBI sinkhole. They apparently charged the original ZeuS author (in the legal documents it states "slavik") but who knows whether he is also the ZeuS Gameover author (the source of ZeuS leaked in April 2011).

ZeuS Gameover 3 was released a few days ago, it has no p2p algorithm no more and again, a new DGA. In this new variant we only see 83 infections so far but that is expected to obviously go up.

Here are the global ZeuS Gameover infection statistics over the time from 2012 - 2014 today.
ZeuS Gameover Global Statistics 2012 - 2014 all versions.png
ZeuS Gameover Global Statistics 2012 - 2014 all versions.png (79.73 KiB) Viewed 610 times