The takedown operation against Gameover Zeus will lead to evolved, more dangerous attacks, according to security industry experts.
Law enforcement agencies across the globe, including the UK National Crime Agency (NCA), launched a co-ordinated sting operation that temporarily shut down the Gameover Zeus botnet, which was estimated to have enslaved between 500,000 and one million computers at its peak.
The temporary takedown was designed to give victims a window of opportunity to purge the malware from their systems, and separate the machine from the botnet’s command-and-control server. The deadline for system administrators and web users to purge their systems passed earlier this week, with no word from the NCA about whether the operation was a success or failure.
F-Secure security analyst Sean Sullivan told V3 that even if the clean-up figures are positive, the operation could have dire consequences in the near future.
“I’m concerned about what comes next for law enforcement. More operations such as this will escalate the fight – and the author of Gameover Zeus has Cryptolocker that he can use as a weapon,” he said.
“The only reason Gameover Zeus didn’t drop Cryptolocker on all of its victims is because that would kill the botnet – which needs to be sustained to continue with business. But if you disrupt the botnet and take it away why not trigger the payload? I expect future versions of Gameover Zeus to include a ‘dead man’s switch’. Law enforcement is unlikely to get authorisation from a judge if it means that ‘hostages’ are going to be killed.”
Cryptolocker is a dangerous form of ransomware that locks and encrypts data stored on infected machines.
Trend Micro vice president Mark Nunnikhoven added that early analysis shows despite the NCA’s efforts, many people are still connected to the Gameover Zeus botnet, making it easy for the hackers to resume their operations or mount follow-up attacks.
“Anytime we can make a dent in criminal operations, I consider a good thing. It would’ve been nice to have completely taken down the whole operation but that just wasn’t possible,” he said.
“But unfortunately it’s not a 100 percent feel-good story. While we’re still gathering data, it’s my fear that the time bought by the operation was squandered by the people it was intended to help. We’ve seen time and time again that most users do not deploy basic security controls or take simple steps to protect themselves.”
Despite the security analysts' concerns, the UK government has cited the recent high-profile Gameover Zeus operation as a victory, and pledged to invest more time and resources to increase law enforcement's anti-hacker abilities.
Minister for organised crime Karen Bradley said the government aims to develop both regional and nationwide police forces' cyber skills, during a speech at the launch of the IA14 conference.
"We are changing the way we pursue cyber criminals. Law enforcement needs to have the right skills to respond to the ever-evolving ways in which crime is being committed," she said.
"Through increased investment, new dedicated cyber and fraud units are being developed in our network of Regional Organised Crime Units (ROCUs). And the College of Policing now has a dedicated training programme to drive up cyber skills in local police forces. We will see a significant increase in the numbers of police officers and staff who have been trained by 2015."
Bradley said the government will also work to increase collaboration between UK and international law enforcement when combating cyber crime. She highlighted the NCA's role in the operation against Gameover Zeus as evidence of the need for increased collaboration.
"This NCA alert is part of one of the largest industry and law enforcement collaborations attempted to date. This is a fantastic example of international collaboration to pursue cyber criminals across borders, and to protect the public and private sector from attacks," she said.
Bradley said investment is an essential step in the government's ongoing bid to protect the UK digital economy from cyber attacks, which have the potential to cripple many businesses.
"A large company may be able to absorb a loss of a few thousand pounds from a cyber attack. But for an SME, that could be the difference between folding or surviving. And these businesses will form part of your supply chains, and are an integral part of the industries we all depend on," she said.
Bradley's comments follow widespread calls from the security community for law enforcement to take a more aggressive stance when hunting cyber criminals. Experts from FireEye praised law enforcement for their work to combat the Gameover Zeus malware earlier in June.