Gameover ZeuS

{{Main|Zeus (malware)}}

Zeus is a family of Trojan horses and related crimeware which first appeared in 2007.{{sfn|Andriesse|Bos|2014|p=1}}{{sfn|Hutchings|Clayton|2017|p=33}} The chief characteristic of Zeus variants are their ability to integrate infected machines into botnets, systems of multiple devices that could be controlled remotely through the malware.{{cite journal|date=January 2015|first1=Kyle|last1=Hannah|first2=Steven|last2=Gianvecchio|volume=30|issue=3|journal=Journal of Computing Sciences in Colleges|page=110–111|title=Zeuslite: a tool for botnet analysis in the classroom|issn=1937-4771|s2cid=62376600|eissn=1937-4763}}

The creator and main developer of the original Zeus was Evgeniy Bogachev, also known as "lucky12345" and "slavik".{{cite web|archive-url=https://web.archive.org/web/20230527115152/https://krebsonsecurity.com/2015/08/inside-the-100m-business-club-crime-gang/|url-status=live|archive-date=May 27, 2023|url=https://krebsonsecurity.com/2015/08/inside-the-100m-business-club-crime-gang/|title=Inside the $100M 'Business Club' Crime Gang|website=Krebs on Security|date=August 5, 2014|first=Brian|last=Krebs|author-link=Brian Krebs|accessdate=July 8, 2023}}{{cite web|archive-url=https://web.archive.org/web/20230407045518/https://krebsonsecurity.com/2015/02/fbi-3m-bounty-for-zeus-trojan-author/|url-status=live|archive-date=April 7, 2023|url=https://krebsonsecurity.com/2015/02/fbi-3m-bounty-for-zeus-trojan-author/|title=FBI: $3M Bounty for ZeuS Trojan Author|website=Krebs on Security|date=February 25, 2015|first=Brian|last=Krebs|author-link=Brian Krebs|accessdate=May 5, 2023}} The original version of Zeus was "kit malware"—a prospective cybercriminal would purchase a license to use a copy of Zeus or obtain an inferior, free version.{{harvnb|Peterson|Sandee|Werner|2015|loc=6:14–6:36}}: "Basically, Zeus has existed for nearly a decade, and the first two versions that we distinguish—although the first two versions were basically the same, they're just like an evolution of the previous version—they were sold as kit malware. And 'kit malware' means that you can actually purchase it and set it up on your own servers, and only require, basically, a support package to get the latest updates."{{cite journal|url=https://scholarship.law.tamu.edu/cgi/viewcontent.cgi?article=1095&context=lawreview|date=Spring 2016|first=Miranda|last=Rodriguez|volume=3|issue=3|journal=Texas A&M Law Review|page=669|title=All Your IP Are Belong to Us: An Analysis of Intellectual Property Rights as Applied to Malware|issn=2572-7044|doi=10.37419/LR.V3.I3.7|s2cid=168624023|oclc=8091322789}} With the license, the purchaser could use Zeus to make their own Trojan, which they could use as they pleased.{{sfn|Hutchings|Clayton|2017|pp=34–35}} In late 2010 Bogachev announced that he was retiring from cybercrime and handing over Zeus's code to a competitor called SpyEye. Security researchers viewed the move with skepticism, as Bogachev had on multiple previous occasions announced his retirement only to return with an improved version of Zeus.{{cite news|last=Bartz|first=Diane|date=October 29, 2010|title=Analysis: Top hacker 'retires'; experts brace for his return|url=https://www.reuters.com/article/idUSTRE69S54Q20101029|url-status=dead|work=Reuters|archive-url=https://web.archive.org/web/20221210000835/https://www.reuters.com/article/idUSTRE69S54Q20101029|archive-date=December 10, 2022|access-date=July 23, 2023}} In fact, Bogachev had not retired, but had transitioned from selling Zeus as kit malware to the general criminal underground to selling access to fully-completed versions of the Trojan to a narrower clientele.{{harvnb|Peterson|Sandee|Werner|2015|loc=6:37–7:01}}: "In 2010, the author of Zeus, nicknamed 'slavik', he basically announced that he would no longer support it and give the support to other people. He said that he would retire, but what had actually happened was that he started a private branch, and not anymore sell it [sic] as kit malware, but only as a kind of managed service variant of Zeus." This "private" version of Zeus became known as Zeus 2.1, or Jabber Zeus. Jabber Zeus-facilitated crimes were run by an organized crime syndicate, of which Bogachev was a key member, which largely dissolved in 2010 due to police action.{{cite magazine|author-link=Garrett Graff|last=Graff|first=Garrett M.|date=March 21, 2017|title=Inside the Hunt for Russia's Most Notorious Hacker|url=https://www.wired.com/2017/03/russian-hacker-spy-botnet/|url-status=live|magazine=WIRED|archive-url=https://web.archive.org/web/20230423235109/https://www.wired.com/2017/03/russian-hacker-spy-botnet/|archive-date=April 23, 2023|access-date=July 8, 2023}}

GameOver ZeuS was created on September 11, 2011, as an update to Zeus 2.1.{{harvnb|Peterson|Sandee|Werner|2015|loc=8:17–8:37}}: "Then, a year later, on September 11, 2011, basically, they upgraded from this 2.1 variant to peer-to-peer ZeuS, which internally is known as Mapp, version number 13. They had a number of earlier versions which were just for development and testing." In May 2011, the source code for Zeus was leaked, resulting in a proliferation of variants.{{cite web |last=Stone-Gross |first=Brett |date=July 23, 2012 |title=The Lifecycle of Peer to Peer (Gameover) ZeuS |url=https://www.secureworks.com/research/the-lifecycle-of-peer-to-peer-gameover-zeus |url-status=live |archive-url=https://web.archive.org/web/20230528103138/https://www.secureworks.com/research/the-lifecycle-of-peer-to-peer-gameover-zeus |archive-date=May 28, 2023 |accessdate=July 16, 2023 |website=Secureworks}}{{sfn|Sandee|2015|p=5}} Security researchers have variously attributed the leak to Bogachev or Aleksandr Panin, the creator of SpyEye.{{cite magazine |last=Zetter |first=Kim |author-link=Kim Zetter |date=January 28, 2014 |title=Coder Behind Notorious Bank-Hacking Tool Pleads Guilty |url=https://www.wired.com/2014/01/spy-eye-author-guilty-plea/ |url-status=live |archive-url=https://web.archive.org/web/20250223065503/https://www.wired.com/2014/01/spy-eye-author-guilty-plea/ |archive-date=February 23, 2025 |access-date=March 17, 2025 |magazine=WIRED}} Cybersecurity advisor Sean Sullivan noted that the leak was convenient for Bogachev, who could refocus on new criminal ventures whilst investigators were distracted by the new Zeus variants.

Researchers became aware of the GameOver ZeuS botnet in 2011. In January 2012, the FBI issued warnings to companies instructing them to look out for GOZ.{{cite news |last=Lawrence |first=Dune |date=June 18, 2015 |title=The Hunt for the Financial Industry's Most-Wanted Hacker |url=https://www.bloomberg.com/news/features/2015-06-18/the-hunt-for-the-financial-industry-s-most-wanted-hacker |url-status=live |archive-url=https://web.archive.org/web/20220508112618/https://www.bloomberg.com/news/features/2015-06-18/the-hunt-for-the-financial-industry-s-most-wanted-hacker |archive-date=May 8, 2022 |access-date=March 17, 2025 |work=Bloomberg News}} The name "GameOver ZeuS" was invented by security researchers, and comes from a file named "gameover2.php" used by the C2 channel.{{harvnb|Peterson|Sandee|Werner|2015|loc=7:19–7:27}}: "'GameOver ZeuS,' the name, comes from the command and control channel using 'gameover2.php' when it started." Other names have included peer-to-peer ZeuS, ZeuS3,{{sfn|Sandee|2015|p=2}} and GoZeus.{{cite web |last=Hay |first=Andrew |date=March 5, 2020 |title=Gameover ZeuS Switches From P2P to DGA |url=https://umbrella.cisco.com/blog/gameover-zeus-switches-p2p-dga |url-status=dead |archive-url=https://web.archive.org/web/20230530125943/https://umbrella.cisco.com/blog/gameover-zeus-switches-p2p-dga |archive-date=May 30, 2023 |accessdate=July 8, 2023 |website=Cisco Umbrella}} The malware was known within Bogachev's crime network as Mapp 13, "13" being the version number.

GameOver ZeuS was spread using spam emails impersonating various groups such as online retailers, financial institutions, and cell phone companies. The emails would contain a link to a compromised website from which the malware was downloaded. These spam emails were sent via a different botnet, Cutwail, that was frequently rented out by cybercriminals to send spam.

Usage of GameOver ZeuS was managed by Bogachev and a group that referred to itself as the "business club". The business club consisted mostly of criminals who had paid a fee to be able to use GOZ's interface. By 2014 there were around fifty members of the business club, mostly Russians and Ukrainians.{{cite news |last=Korolov |first=Maria |date=August 7, 2015 |title=GameOver ZeuS criminals spied on Turkey, Georgia, Ukraine and OPEC |url=https://www.csoonline.com/article/552385/gameover-zeus-criminals-spied-on-turkey-georgia-ukraine-and-opec.html |url-status=live |archive-url=https://web.archive.org/web/20230716052037/https://www.csoonline.com/article/552385/gameover-zeus-criminals-spied-on-turkey-georgia-ukraine-and-opec.html |archive-date=July 16, 2023 |access-date=July 16, 2023 |work=CSO Online}} The network also employed technical support staff for the malware.{{sfn|Sandee|2015|p=6}} The criminal network's members were spread across Russia, but the core members, such as Bogachev, were mainly based in Krasnodar. Business club members did not exclusively use GOZ and were often members of other malware networks.{{sfn|Sandee|2015|p=9}} Nonetheless, the United States Department of Justice (DOJ) described the group's members as "tightly knit".{{cite journal |last1=Zagaris |first1=Bruce |date=September 2014 |title=Multilateral Action Disrupts 'Gameover Zeus' Botnet and 'Cryptolocker' Ransomware as U.S. Brings Criminal Charges Against Leader |url=https://heinonline.org/HOL/P?h=hein.journals/ielr30&i=369 |journal=International Enforcement Law Reporter |volume=30 |issue=9 |page=360 |issn=1063-083X}} {{Subscription required|via=HeinOnline}}

In addition to the business club, a large number of money mules were recruited to launder stolen funds. Mules, based in the US to avoid suspicion, were recruited through spam emails sent by the GOZ botnet, offering part-time work.{{sfn|Wolff|2018|p=63}} Money mules were not aware that they were handling stolen funds or working for a criminal syndicate.{{sfn|Wolff|2018|p=65}}

The business club controlled all GameOver ZeuS activity from 2011 to 2014. The syndicate primarily used GOZ to engage in bank fraud and extortion, however, other revenue streams such as click fraud and renting out the botnet were known to exist.

GameOver ZeuS was typically used to steal banking credentials, commonly from hospitals. This was primarily done via keystroke logging.{{sfn|Wolff|2018|p=62}} However, the malware was capable of using browser hijacking to bypass two-factor authentication, and its interface had a special "token grabber" panel to facilitate these man-in-the-browser attacks,{{sfn|Sandee|2015|pp=16–17}} titled "World Bank Center" and with the slogan "we are playing with your banks". By presenting the victim with a false version of their bank's login page, a criminal could request whatever code or information was needed to log into the victim's account. Once the victim "logged in" to the false page with this information, they would receive a "please wait" or error screen while the credentials were sent to the criminals. With this information, the malware operators could access the bank account and steal money,{{sfn|Sandee|2015|pp=16–17}} usually hundreds of thousands or millions of dollars. In one instance, $6.9 million was stolen from a single victim.{{cite news|last=Perez|first=Evan|date=June 3, 2014|title=U.S. takes out computer malware that stole millions|url=https://money.cnn.com/2014/06/02/technology/security/gameover-zeus-botnet|url-status=live|work=CNN|archive-url=https://web.archive.org/web/20230603072536/https://money.cnn.com/2014/06/02/technology/security/gameover-zeus-botnet|archive-date=June 3, 2023|access-date=July 21, 2023}} In 2013, GOZ accounted for 38% of thefts pursued in this manner.{{sfn|Etaher|Weir|Alazab|2015|p=1388}}

Beginning in November 2011, the operators of GOZ would conduct DDoS attacks against banking websites if they were stealing a large amount of money, in order to prevent the victim from logging in and to divert the attention of network administrators away from the theft. The DDoS attacks were performed using a commercially-available kit named "Dirt Jumper".{{cite web|archive-url=https://web.archive.org/web/20250118212126/https://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameover-for-banks-victims-in-cyber-heists/|url-status=live|archive-date=January 18, 2025|url=https://krebsonsecurity.com/2011/11/ddos-attacks-spell-gameover-for-banks-victims-in-cyber-heists/|title=DDoS Attacks Spell 'Gameover' for Banks, Victims in Cyber Heists|website=Krebs on Security|date=November 30, 2011|first=Brian|last=Krebs|author-link=Brian Krebs|accessdate=March 13, 2025}} Stolen money was routed through a large network of money mules before it made it to the criminals, hiding its origin and destination from authorities.{{sfn|Wolff|2018|p=63}} By June 2014, more than $100 million was stolen in the United States alone.{{cite news|archive-url=https://web.archive.org/web/20230716070130/https://www.cnet.com/news/privacy/us-disrupts-100m-gameover-zeus-malware-cybercrime-ring/|archive-date=July 16, 2023|url=https://www.cnet.com/news/privacy/us-disrupts-100m-gameover-zeus-malware-cybercrime-ring/|title=US disrupts $100M GameOver Zeus malware cybercrime ring|website=CNET|url-status=live|date=June 2, 2014|first=Steven|last=Musil|accessdate=July 16, 2023}}{{cite journal|url=https://www.justice.gov/usao/page/file/1135861/dl?inline#page=200|date=February 2019|first1=Scott W.|last1=Brady|first2=Colin J.|last2=Callahan|author1-link = Scott Brady (lawyer)|volume=67|issue=1|journal=Department of Justice Journal of Federal Law and Practice|page=196|title=The Use of Civil Tools in a Cyber Takedown: Sinkholes, Seizures, and More|issn=1943-9008}}

The siphoning of money followed the day-night line, beginning in Australia and ending in the United States. Criminals involved in money movement worked nine-to-five shifts from Monday to Friday, handing over responsibilities to whatever team was west of them when their shift ended. The final destination of most money mule transfers were shell companies based in Raohe County and the city of Suifenhe, two regions in China's Heilongjiang province on the China–Russia border.{{sfn|Sandee|2015|pp=18—20}}

The interface controlling the botnet could be used to read data logged by the bots and execute commands.{{sfn|Sandee|2015|p=15}} In addition to the token grabber panel, another panel existed to facilitate the siphoning of money from bank accounts, allowing the user to select a "destination account" that money would be indirectly sent to.{{sfn|Sandee|2015|p=17}} Botnet managers were also allowed to load their own scripts to use against infected systems, with the caveat that they could not attack Russian computers.{{sfn|Sandee|2015|p=7}}

{{Main|CryptoLocker}}

In 2013, the business club began to use GameOver ZeuS to distribute CryptoLocker, a piece of ransomware that encrypted the contents of victim computers and demanded payment in prepaid cash vouchers or bitcoin in exchange for a decryption key.{{sfn|Wolff|2018|p=63}} Josephine Wolff, assistant professor of cybersecurity policy at Tufts University,{{cite news|last=Wolff|first=Josephine|date=January 27, 2019|title=Two-Factor Authentication Might Not Keep You Safe|url=https://www.nytimes.com/2019/01/27/opinion/2fa-cyberattacks-security.html|url-status=live|work=The New York Times|archive-url=https://web.archive.org/web/20230627160531/https://www.nytimes.com/2019/01/27/opinion/2fa-cyberattacks-security.html|archive-date=June 27, 2023|access-date=July 23, 2023}} has speculated that the motivation behind pivoting to ransomware was for two reasons. Firstly, ransomware was a more secure means of making money from GOZ than bank theft, as ransomware could take money from victims for less work on the criminals' ends and the anonymous payment methods did not need to be laundered through money mules,{{sfn|Wolff|2018|p=63}} whose loyalties were in question because they did not know they were working for criminals. Secondly, ransomware took advantage of the criminals' access to data on infected computers that was significant to victims but was of no immediate value to criminals, such as photographs and emails.{{sfn|Wolff|2018|pp=69—70}} Journalist Garrett Graff has also suggested that ransomware served to "transform dead weight into profit" by extracting money from victims whose bank balances were too small to warrant directly stealing from.

Between 200,000 and 250,000 computers were attacked by Cryptolocker beginning in 2013.{{cite journal|url=https://scholarlycommons.law.case.edu/cgi/viewcontent.cgi?article=1162&context=jolti|date=2024|first1=David Garrison|last1=Golubock|volume=15|issue=2|journal=Case Western Reserve Journal of Law, Technology and the Internet|page=326|title=Remote Workers, Ever-Present Risk: Employer Liability for Data Breaches in the Era of Hybrid Workplaces|issn=1949-6451}} The amount of money Bogachev and associates made from CryptoLocker is unclear; Wolff claimed that in a one-month period from October to December 2013 alone, $27 million was stolen.{{sfn|Wolff|2018|p=64}} However, Michael Sandee, one of the researchers who helped take down the original GameOver ZeuS botnet, has given a much lower estimate of $3 million for the entire duration of CryptoLocker's activity.{{sfn|Sandee|2015|p=3}} Wolff has argued that GameOver ZeuS's legacy lies not in its innovative P2P botnet structure, but in the precedent it set in CryptoLocker for future ransomware attacks.{{sfn|Wolff|2018|p=68}}

Analysis of the botnet has uncovered attempts to search for secret and sensitive information on compromised computers, particularly in Georgia, Turkey, Ukraine,{{sfn|Sandee|2015|p=21}} and the United States, leading experts to believe that GameOver ZeuS was also used for espionage on behalf of the Russian government.{{cite news|last1=Schwirtz|first1=Michael|last2=Goldstein|first2=Joseph|date=March 12, 2017|title=Russian Espionage Piggybacks on a Cybercriminal's Hacking|url=https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html?smid=tw-nytimes&smtyp=cur&mtrref=undefined&_r=3|url-status=live|work=The New York Times|archive-url=https://web.archive.org/web/20230525101311/https://www.nytimes.com/2017/03/12/world/europe/russia-hacker-evgeniy-bogachev.html|archive-date=May 25, 2023|access-date=July 17, 2023}} The botnet in Ukraine only began to conduct such searches after the country's pro-Russian government collapsed amidst a revolution in 2014.{{cite news|last=Stevenson|first=Alastair|date=August 6, 2015|title=The Russian government may be protecting the creator of the world's most infamous malware|url=https://www.businessinsider.com/gameover-zeus-alleged-author-may-be-getting-help-from-the-russian-government-2015-8|url-status=live|work=Business Insider|archive-url=https://web.archive.org/web/20230423135551/https://www.businessinsider.com/gameover-zeus-alleged-author-may-be-getting-help-from-the-russian-government-2015-8|archive-date=April 23, 2023|access-date=July 16, 2023}} OPEC member states were also targeted. Searches were tailored to the targeted country: searches in Georgia sought information on specific government officials, searches in Turkey looked for information regarding Syria, searches in Ukraine used generic keywords such as "federal security service" and "security agent",{{cite news|last=Brewster|first=Thomas|date=August 5, 2015|title=FBI 'Most Wanted' Cybercrime Kingpin Linked To Russian Espionage On US Government|url=https://www.forbes.com/sites/thomasbrewster/2015/08/05/gameover-zeus-surveillance-links|url-status=live|work=Forbes|archive-url=https://web.archive.org/web/20230508224310/https://www.forbes.com/sites/thomasbrewster/2015/08/05/gameover-zeus-surveillance-links/|archive-date=May 8, 2023|access-date=July 16, 2023}} and searches in the US looked for documents containing phrases such as "top secret" and "Department of Defense". Botnets used for espionage were run separately from those used for financial crime.

It is unclear who specifically was responsible for the espionage operations; while security researcher Tillman Werner, who helped to take down the original GOZ botnet, has suggested the possibility of a partner or client being involved, Sandee has claimed that Bogachev was primarily or solely responsible, arguing that he had sole access to the malware's surveillance protocols and that because his circle of criminal associates included Ukrainians, he would have to keep the espionage secret. Sandee has speculated that the botnet's usage for espionage afforded Bogachev "a level of protection" that can explain why he has yet to be apprehended,{{sfn|Sandee|2015|p=23}} despite living openly and under his own name in Russia.

File:GOZ structure diagram.svg

Botnet-building capabilities were common to all Zeus variants; however, iterations of the malware prior to GameOver ZeuS created centralized botnets, wherein all infected devices were connected directly to a command-and-control (C2) server.{{sfn|Etaher|Weir|Alazab|2015|p=1386}} GOZ distinguished itself from these prior instances by utilizing a decentralized, peer-to-peer (P2P) infrastructure,{{sfn|Etaher|Weir|Alazab|2015|p=1386}} in which infected computers mostly communicated with each other rather than a C2 server.{{cite book |last1=Wang |first1=Ping |title=Handbook of Information and Communication Security |last2=Aslam |first2=Baber |last3=Zou |first3=Cliff C. |date=2010 |publisher=Springer |isbn=978-3-642-04116-7 |editor-last1=Stamp |editor-first1=Mark |location=Berlin |page=336 |chapter=Peer-to-Peer Botnets |doi=10.1007/978-1-84882-684-7 |lccn=2009943513 |oclc=801355975 |ol=16668075W |editor-last2=Stavroulakis |editor-first2=Peter |s2cid=2448689}} At the peak of GOZ activity from 2012 to 2013, the botnet comprised between 500,000 and one million compromised computers.{{sfn|Wolff|2018|p=59}}

The botnet was organized into three layers. The lowest layer was made up of the infected machines, some of which were manually designated "proxy bots" by the criminal group. Proxy bots acted as intermediaries between the bottom layer and a second proxy layer composed of dedicated servers owned by the group. The second layer served to create distance between the infected machines an the highest layer, from which commands were issued and to which data from the infected machines was sent.{{sfn|Andriesse|Rossow|Stone-Gross|Plohmann|2013|p=117}} This infrastructure made tracing the botnet's C2 servers more difficult, as the botnet herders were only ever directly communicating with a small subset of infected computers at a time.{{sfn|Wolff|2018|p=61}} Although the botnet as a whole was structured like this, the network was partitioned into several "sub-botnets", each run by a different botmaster.{{sfn|Andriesse|Rossow|Stone-Gross|Plohmann|2013|p=116}} Up to 27 of these sub-botnets existed, but not all were actively used, with some existing for debugging purposes.{{sfn|Sandee|2015|p=6}}

GOZ contained several security features designed to prevent full analysis of the botnet—particularly by restricting the activities of crawlers and sensors{{efn|In the context of P2P botnet monitoring, a crawler is a program that, using the botnet's communication protocol, requests a given bot's peers, then requests a list of peers from each bot in the original bot's list of peers, and so on until the whole botnet is mapped.{{sfn|Karuppayah|2018|p=4}} A sensor infiltrates the peer list of several bots and logs attempts to contact it from the bots in the network.{{sfn|Karuppayah|2018|p=15}}}}—as well as to prevent shutdown attempts. Many of these features were implemented to counter attack methods commonly used against prior iterations of Zeus,{{cite conference |last1=Rossow |first1=Christian |last2=Andriesse |first2=Dennis |last3=Werner |first3=Tillmann |last4=Stone-Gross |first4=Brett |last5=Plohmann |first5=Daniel |last6=Dietrich |first6=Christian C. |date=May 19–22, 2013 |title=SoK: P2PWNED — Modeling and Evaluating the Resilience of Peer-to-Peer Botnets |url=https://www.syssec-project.eu/m/page-media/3/rossow-sp13.pdf |conference=IEEE Symposium on Security and Privacy |location=Berkeley, CA |publisher=IEEE |page=100 |doi=10.1109/SP.2013.17 |isbn=978-1-4673-6166-8 |issn=1081-6011 |oclc=5873591062 |book-title=2013 IEEE Symposium on Security and Privacy |s2cid=7771252}} and GameOver ZeuS was noted by security researchers Dennis Andriesse and Herbert Bos as a "significant evolution" and more resilient than its predecessors.{{sfn|Andriesse|Bos|2014|p=9}} The effectiveness of these mechanisms led GOZ to be considered a sophisticated botnet,{{sfn|Karuppayah|2018|p=44}} with US Deputy Attorney General James M. Cole calling it “the most sophisticated and damaging botnet we have ever encountered”.{{cite web |last=Silver |first=Joe |date=June 2, 2014 |title=Governments disrupt botnet 'Gameover ZeuS' and ransomware 'Cryptolocker' |url=https://arstechnica.com/tech-policy/2014/06/governments-disrupt-botnet-gameover-zeus-and-ransomware-cryptolocker/ |url-status=live |archive-url=https://web.archive.org/web/20230605203356/https://arstechnica.com/tech-policy/2014/06/governments-disrupt-botnet-gameover-zeus-and-ransomware-cryptolocker/ |archive-date=June 5, 2023 |accessdate=July 21, 2023 |website=Ars Technica}} Cybersecurity researcher Brett Stone-Gross, who was brought on by the Federal Bureau of Investigation (FBI) to analyze GameOver ZeuS, similarly acknowledged that the botnet was well-secured against the efforts of law enforcement and security experts.{{cite news |last=Stahl |first=Lesley |author-link=Lesley Stahl |date=April 21, 2019 |title=The growing partnership between Russia's government and cybercriminals |url=https://www.cbsnews.com/news/evgeniy-mikhailovich-bogachev-the-growing-partnership-between-russia-government-and-cybercriminals-60-minutes/ |url-status=live |archive-url=https://web.archive.org/web/20230118210508/https://www.cbsnews.com/news/evgeniy-mikhailovich-bogachev-the-growing-partnership-between-russia-government-and-cybercriminals-60-minutes/ |archive-date=January 18, 2023 |access-date=May 7, 2023 |work=CBS News}}

Crawlers were inhibited via various means. Each bot had fifty peers;{{sfn|Karuppayah|2018|p=40}} however, a bot that was requested to provide a list of its peers would only return ten.{{sfn|Karuppayah|2018|p=20}} Additionally, requesting peer lists was rate-limited such that rapid requests from an IP address would result in that address being flagged as a crawler and automatic blacklisting,{{sfn|Karuppayah|2018|pp=22–23}} halting all communications between the flagged IP and the flagging bot. Each bot also had a pre-existing list of blacklisted addresses known to be controlled by security organizations.{{sfn|Karuppayah|2018|p=31}}

Sensors were inhibited via an IP filtering mechanism that prevented multiple sensors from sharing one IP address. The effect of this was to prevent individuals or groups with one IP address from carrying out sinkholing attacks on the botnet.{{efn|Sinkholing is a technique used to take down botnets in which a special sensor is deployed within the botnet. The sensor, also known as a sinkhole, cuts off contact between bots and their controllers.{{sfn|Karuppayah|2018|p=79}}}}{{sfn|Karuppayah|2018|p=21}} GOZ's botmasters were known to have carried out DDoS attacks in response to sinkholing attempts.{{sfn|Karuppayah|2018|p=23}}

In the event a GOZ bot was unable to contact any peers, it would use a domain generation algorithm (DGA) to re-establish contact with the C2 servers and obtain a new list of peers.{{sfn|Andriesse|Rossow|Stone-Gross|Plohmann|2013|p=118}} The DGA generated one thousand domains every week and each bot would attempt to contact every domain; this meant that if the botnet's current C2 servers were in danger of being shut down, the botmasters could set up a new server using a domain in the generated list and re-establish control over the network.{{sfn|Wolff|2018|p=61}} The servers themselves were provided by a bulletproof hosting service, and were difficult to take down because the servers did not have actual IP addresses; traffic was routed from virtual IP addresses that did not correspond to any device. Taking down the addresses, therefore, would not affect the servers.{{harvnb|Peterson|Sandee|Werner|2015|loc=13:02–13:49}}: "Looking at, for example, the technical part, the hosting: so where did they get servers? This has changed over time, but especially in the last period, the last few years, they had access to a bulletproof hosting provider who had a very good system of having servers without an actual IP address, just a netblock, and then had virtual IPs from completely different ISPs and routed that through tunnels to those servers. So in case anyone would take down the 'virtual IP addresses', it would just not route anymore, but the actual servers where the data was were safe."

Communications between bots were encrypted. The algorithm used for this changed over time: prior to June 2013, GOZ used a XOR cipher, but new bots after June 2013 used RC4, which made infiltrating the botnet more difficult. Additionally, important communications coming from the botnet's managers were signed using RSA.{{sfn|Andriesse|Bos|2014|p=4}}

A special "debug build" of the malware existed that provided detailed logs regarding the network. The debug build existed to garner insight into security researchers' activities against the botnet and develop appropriate responses.{{sfn|Sandee|2015|p=9}} The malware itself was also difficult to remove, owing to a rootkit contained in it.{{sfn|Etaher|Weir|Alazab|2015|p=1387}} The rootkit, Necurs, was taken from a different piece of malware.{{cite web |last=Zorabedian |first=John |date=March 4, 2014 |title=SophosLabs: Gameover banking malware now has a rootkit for better concealment |url=https://news.sophos.com/en-us/2014/03/04/sophoslabs-gameover-banking-malware-now-has-a-rootkit-for-better-concealment/ |url-status=live |archive-url=https://web.archive.org/web/20230529061217/https://news.sophos.com/en-us/2014/03/04/sophoslabs-gameover-banking-malware-now-has-a-rootkit-for-better-concealment/ |archive-date=May 29, 2023 |accessdate=July 20, 2023 |website=Sophos News}}

On March 25, 2012, Microsoft announced that GameOver ZeuS had been "disrupted in an unprecedented, proactive cross-industry operation" codenamed "Operation b71".{{cite web|archive-url=https://web.archive.org/web/20241012061146/https://blogs.microsoft.com/blog/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets/|url-status=live|archive-date=October 12, 2024|url=https://blogs.microsoft.com/blog/2012/03/25/microsoft-and-financial-services-industry-leaders-target-cybercriminal-operations-from-zeus-botnets/|title=Microsoft and Financial Services Industry Leaders Target Cybercriminal Operations from Zeus Botnets|website=Microsoft Official Blog|date=March 25, 2012|first=Richard Domingues|last=Boscovich|accessdate=March 19, 2025}}{{cite news|last=Lardner|first=Richard|date=May 1, 2012|title=Microsoft says raid damaged 'Zeus' cybercrime operation|url=https://www.masslive.com/business-news/2012/04/microsoft_says_raid_damaged_zeus_cybercr.html|url-status=live|work=MassLive|archive-url=https://web.archive.org/web/20250319230551/https://www.masslive.com/business-news/2012/04/microsoft_says_raid_damaged_zeus_cybercr.html|archive-date=March 19, 2025|access-date=March 19, 2025}} The operation was widely criticized by computer security experts for violating data privacy norms, inadvertently taking down legitimate domains,{{cite web|archive-url=https://web.archive.org/web/20250123050321/https://krebsonsecurity.com/2012/04/microsoft-responds-to-critics-over-botnet-bruhaha/|url-status=live|archive-date=January 23, 2025|url=https://krebsonsecurity.com/2012/04/microsoft-responds-to-critics-over-botnet-bruhaha/|title=Microsoft Responds to Critics Over Botnet Bruhaha|website=Krebs on Security|date=April 16, 2012|first=Brian|last=Krebs|author-link=Brian Krebs|accessdate=March 19, 2025}} and interfering with criminal investigations into the botnet's creators and managers,{{cite book|editor-last1=Kremer|editor-first1=Jan-Frederik|editor-last2=Müller|editor-first2=Benedikt|date=2014|chapter=Hierarchies in Networks: Emerging Hybrids of Networks and Hierarchies for Producing Internet Security|last=Schmidt|first=Andreas|title=Cyberspace and International Relations: Theory, Prospects, and Challenges|location=Berlin|publisher=Springer|page=192|isbn=978-3-642-37480-7|doi=10.1007/978-3-642-37481-4|oclc=863229878|lccn=2013950724|s2cid=142926984|ol=34375959M}} including a blog post from Sandee characterizing the operation as "irresponsible" and "a major setback".{{cite web|archive-url=https://web.archive.org/web/20231210235620/https://blog.fox-it.com/2012/04/12/critical-analysis-of-microsoft-operation-b71/|url-status=live|archive-date=December 10, 2023|url=https://blog.fox-it.com/2012/04/12/critical-analysis-of-microsoft-operation-b71/|title=Critical analysis of Microsoft Operation B71|website=Fox-IT|date=April 12, 2012|first=Michael|last=Sandee|accessdate=March 19, 2025}} Operation b71 ultimately failed to shut down GameOver ZeuS due to its peer-to-peer architecture. Two other attempts by security researchers between 2012 and January 2013 to take down the botnet were also unsuccessful.

{{Main|Operation Tovar}}

The original GameOver ZeuS botnet was taken down by an international law enforcement effort codenamed "Operation Tovar", helmed by the FBI and also involving around 20 companies and private institutions,{{cite web|archive-url=https://web.archive.org/web/20230604191706/https://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge/|url-status=live|archive-date=June 4, 2023|url=https://krebsonsecurity.com/2014/06/operation-tovar-targets-gameover-zeus-botnet-cryptolocker-scourge/|title='Operation Tovar' Targets 'Gameover' ZeuS Botnet, CryptoLocker Scourge|website=Krebs on Security|date=June 2, 2014|first=Brian|last=Krebs|author-link=Brian Krebs|accessdate=July 21, 2023}} including CrowdStrike, McAfee, and Carnegie Mellon University.{{cite news|last1=Wilber|first1=Del Quentin|last2=Strohm|first2=Chris|author-link1=Del Quentin Wilber|date=June 11, 2014|title=FBI Shutdown of Virus Demanded New Anti-Hacker Tactics|url=https://www.bloomberg.com/news/articles/2014-06-11/fbi-shutdown-of-virus-demanded-new-anti-hacker-tactics|url-status=live|work=Bloomberg News|archive-url=https://web.archive.org/web/20160908195153/https://www.bloomberg.com/news/articles/2014-06-11/fbi-shutdown-of-virus-demanded-new-anti-hacker-tactics|archive-date=September 8, 2016|access-date=March 17, 2025}} Planning for Operation Tovar began in 2012, with the FBI beginning to work together with private cybersecurity firms to combat GOZ.{{cite web|last=Franceschi-Bicchierai|first=Lorenzo|date=August 12, 2015|title=How the FBI Took Down the Botnet Designed to Be 'Impossible' to Take Down|url=https://www.vice.com/en/article/how-the-fbi-took-down-the-botnet-designed-to-be-impossible-to-take-down/|url-status=live|website=VICE|archive-url=https://web.archive.org/web/20220622000821/https://www.vice.com/en/article/539xy5/how-the-fbi-took-down-the-botnet-designed-to-be-impossible-to-take-down|archive-date=June 22, 2022|access-date=July 21, 2023}} By 2014, authorities in the United Kingdom had also provided the FBI with information regarding a GOZ-controlled server in the UK containing records of fraudulent transactions. The information in the server combined with interviews with former money mules allowed the FBI to begin to understand GOZ's botnet infrastructure. Bogachev was identified as the head of the GameOver ZeuS network by cross-referencing the IP address used to access his email (which had been provided by a tipster) with the IP used to administer the botnet;{{sfn|Wolff|2018|pp=64–66}} although he had used a virtual private network (VPN) to obscure his address, Bogachev had used the same one for both tasks.{{harvnb|Peterson|Sandee|Werner|2015|loc=41:06–41:31}}: "So, how do we figure out who these guys are? Well, fortunately, they're criminals all the time, so one of the things we try to do as law enforcement is work ourselves where we can where we can kind of attack those seams between their personal life and their criminal life. And fortunately, Mr. Bogachev, fond user of VPNs, liked to use the same VPN to log into some of his personal accounts as he would to administrate the backend of some of these servers." The Operation Tovar team also reverse-engineered the malware's DGA, allowing them to preempt any attempts to restore the botnet and redirect such attempts to government-controlled servers. GOZ's C2 servers in Canada, Ukraine, and Kazakhstan were seized by authorities,{{sfn|Wolff|2018|p=67}} with Ukraine being the first to do so on May 7, 2014. US officials wanted Ukraine to begin its seizures on May 29, but they were pushed forward due to the Russo-Ukrainian War.

With preparations finished, Operation Tovar began on May 30 and was completed within four to five hours. The operation was a sinkholing attack that cut off communication between the bots and their command servers, redirecting the communication towards the aforementioned government-controlled servers. Since the GOZ-controlled domains were registered in Russia, outside American jurisdiction, law enforcement ordered US-based internet service providers to direct attempts to contact GOZ-controlled domains towards FBI-controlled servers before the queries reached Russia.{{cite journal|url=https://www.justice.gov/usao/page/file/1135861/dl?inline#page=130|date=February 2019|first1=Anthony J.|last1=Lewis|volume=67|issue=1|journal=Department of Justice Journal of Federal Law and Practice|page=126|title=Botnet Disruptions: Legal Authorities and Technical Vectors|issn=1943-9008}} The technical details of the operation largely remain classified.{{sfn|Wolff|2018|p=67}} Additionally, law enforcement in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine, and the United Kingdom began seizing key GOZ servers on May 30.{{cite news|last=Nakashima|first=Ellen|author-link=Ellen Nakashima|date=June 2, 2014|title=U.S. says global effort has hobbled a cybercrime ring|url=https://www.washingtonpost.com/world/national-security/2014/06/02/73e177b4-ea7c-11e3-9f5c-9075d5508f0a_story.html|url-status=live|newspaper=The Washington Post|archive-url=https://archive.today/20140603035935/http://www.washingtonpost.com/world/national-security/2014/06/02/73e177b4-ea7c-11e3-9f5c-9075d5508f0a_story.html|archive-date=June 3, 2014|access-date=March 13, 2025}}

On June 2, the United States Department of Justice announced the outcome of Operation Tovar. An indictment against Bogachev was also unsealed that same day.{{cite journal|url=https://ir.law.utk.edu/context/tennesseelawreview/article/1080/viewcontent/15_86TennLRev503_2018_2019_.pdf|date=Winter 2019|first1=Lawrence J.|last1=Trautman|first2=Peter C.|last2=Ormerod|volume=86|issue=2|journal=Tennessee Law Review|page=512|title=Wannacry, Ransomware, and the Emerging Threat to Corporations|doi=10.2139/ssrn.3238293|ssrn=3238293|issn=0040-3288|oclc=1304267714|s2cid=169254390}} However, authorities also warned that the botnet would likely return within two weeks.{{cite web|archive-url=https://web.archive.org/web/20230702043007/https://www.zdnet.com/article/gameover-zeus-botnet-seized-two-week-window-to-protect-yourself-say-authorities/|url-status=live|archive-date=July 2, 2023|url=https://www.zdnet.com/article/gameover-zeus-botnet-seized-two-week-window-to-protect-yourself-say-authorities/|title=GameOver Zeus botnet seized; Two week window to protect yourself, say authorities|website=ZDNET|date=June 2, 2014|first=Larry|last=Dignan|accessdate=July 23, 2023}} On July 11, the DOJ stated that as a result of the operation, GOZ infections were down 32 percent and that nearly all infected computers had been "liberated from the criminals' control".{{sfn|Wolff|2018|p=68}}{{cite journal|url=https://harvardnsj.org/wp-content/uploads/2016/06/Carlin-FINAL.pdf|date=2016|first1=John P.|last1=Carlin|author-link = John P. Carlin|volume=7|issue=2|journal=Harvard National Security Journal|page=426|title=Detect, Disrupt, Deter: A Whole-of-Government Approach to National Security Cyber Threats|issn=2153-1358}} On February 24, 2015, the Justice Department announced a reward of $3 million for information leading to Bogachev's arrest,{{cite web|archive-url=https://web.archive.org/web/20230416173713/https://arstechnica.com/tech-policy/2015/02/us-offers-3-million-reward-for-capture-of-gameover-zeus-botnet-admin/|url-status=live|archive-date=April 16, 2023|url=https://arstechnica.com/tech-policy/2015/02/us-offers-3-million-reward-for-capture-of-gameover-zeus-botnet-admin/|title=US offers $3 million reward for capture of GameOver ZeuS botnet admin|website=Ars Technica|date=February 24, 2015|first=David|last=Kravets|accessdate=July 21, 2023}} at the time the largest-ever reward for a cybercriminal.{{sfn|Wolff|2018|p=59}}{{efn|This has since been exceeded by the reward of $5 million issued on December 5, 2019, for information leading to Evil Corp head Maksim Yakubets's arrest.{{cite web|archive-url=https://web.archive.org/web/20230722155342/https://www.rferl.org/a/in-lavish-wedding-photos-clues-to-an-alleged-russian-cyberthief-fsb-family-ties/30320440.html|url-status=live|archive-date=July 22, 2023|url=https://www.rferl.org/a/in-lavish-wedding-photos-clues-to-an-alleged-russian-cyberthief-fsb-family-ties/30320440.html|title=In Lavish Wedding Photos, Clues To An Alleged Russian Cyberthief's FSB Family Ties|website=Radio Free Europe/Radio Liberty|date=December 11, 2019|first1=Sergei|last1=Dobrynin|first2=Mark|last2=Krutov|accessdate=July 23, 2023}} Yakubets was a member of the GOZ syndicate and had previously worked with Bogachev as part of the Jabber Zeus crew.{{cite news|last=Riley|first=Michael|date=June 11, 2021|title=Hackers Thrive in Putin's Russia as U.S. Seeks New Strategy|url=https://www.bloomberg.com/news/articles/2021-06-11/russian-hackers-thrive-as-putin-prepares-to-meet-with-u-s-president-biden|url-status=live|work=Bloomberg Businessweek|archive-url=https://web.archive.org/web/20210629142131/https://www.bloomberg.com/news/articles/2021-06-11/russian-hackers-thrive-as-putin-prepares-to-meet-with-u-s-president-biden|archive-date=June 29, 2021|access-date=March 17, 2025}}{{cite web|archive-url=https://web.archive.org/web/20230410200230/https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/|url-status=live|archive-date=April 10, 2023|url=https://krebsonsecurity.com/2022/11/top-zeus-botnet-suspect-tank-arrested-in-geneva/|title=Top Zeus Botnet Suspect 'Tank' Arrested in Geneva|website=Krebs on Security|date=November 15, 2022|first=Brian|last=Krebs|author-link=Brian Krebs|accessdate=May 7, 2023}}}} Bogachev remains wanted as of 2024.{{cite news|last=Burgess|first=Matt|date=July 11, 2024|title=Notorious Hacker Kingpin ‘Tank’ Is Finally Going to Prison|url=https://www.wired.com/story/vyacheslav-igorevich-penchukov-tank-zeus-malware-sentencing/|url-status=live|work=WIRED|archive-url=https://web.archive.org/web/20250312000402/https://www.wired.com/story/vyacheslav-igorevich-penchukov-tank-zeus-malware-sentencing/|archive-date=March 12, 2025|access-date=March 21, 2025}}

Five weeks after Operation Tovar was executed, security company Malcovery announced that it had discovered a new GOZ strain being transmitted through spam emails. Despite sharing around ninety percent of its code base with previous GOZ versions, the new malware did not establish a peer-to-peer botnet, opting to create a botnet structure using fast flux, a technique where phishing and malware delivery sites are obscured behind a rapidly changing array of compromised systems acting as proxies.{{cite web|archive-url=https://web.archive.org/web/20230201000600/https://krebsonsecurity.com/2014/07/crooks-seek-rivival-of-gameover-zeus-botnet/|url-status=live|archive-date=February 1, 2023|url=https://krebsonsecurity.com/2014/07/crooks-seek-rivival-of-gameover-zeus-botnet/|title=Crooks Seek Revival of 'Gameover Zeus' Botnet|website=Krebs on Security|date=July 10, 2014|first=Brian|last=Krebs|author-link=Brian Krebs|accessdate=July 7, 2023}} The origin of and motives for creating the new variant, dubbed "newGOZ", were unclear; Sandee believed newGOZ to be a "trick" to give away the malware's source code and create a distraction for Bogachev to disappear into.{{sfn|Sandee|2015|p=5}} However, Malcovery's initial report claimed that the new Trojan represented an earnest attempt to revive the botnet.{{cite news|last=Brewster|first=Tom|date=July 11, 2014|title=Gameover Zeus returns: thieving malware rises a month after police action|url=https://www.theguardian.com/technology/2014/jul/11/gameover-zeus-criminal-malware-police-hacking|url-status=live|work=The Guardian|archive-url=https://web.archive.org/web/20230124180951/https://www.theguardian.com/technology/2014/jul/11/gameover-zeus-criminal-malware-police-hacking|archive-date=January 24, 2023|access-date=July 7, 2023}} The original GameOver ZeuS and newGOZ botnets were separate entities; the list of domains generated by their respective DGAs were different, despite the algorithms being similar, and the original GOZ botnet was described by Malcovery as still "locked down".{{cite web|archive-url=https://web.archive.org/web/20230707062803/https://www.csoonline.com/article/547748/data-protection-the-gameover-trojan-program-is-back-with-some-modifications.html|url-status=live|archive-date=July 7, 2023|url=https://www.csoonline.com/article/547748/data-protection-the-gameover-trojan-program-is-back-with-some-modifications.html|title=The Gameover Trojan program is back, with some modifications|website=CSO Online|date=July 11, 2014|first=Lucian|last=Constantin|accessdate=July 7, 2023}}

The new malware was divided into two variants. The variants differed in two areas: the number of domains generated by the DGA, with one generating 1,000 domains per day and the other generating 10,000; and the geographic distribution of infections—the former variant primarily infected systems in the US, and the latter targeted computers in Ukraine and Belarus.{{cite web|archive-url=https://web.archive.org/web/20220516145034/https://www.bitdefender.com/blog/labs/gameover-zeus-variants-targeting-ukraine-us/|url-status=live|archive-date=May 16, 2022|url=https://www.bitdefender.com/blog/labs/gameover-zeus-variants-targeting-ukraine-us/|title=Gameover Zeus Variants Targeting Ukraine, US|website=Bitdefender Blog|date=August 6, 2014|first=Doina|last=Cosovan|accessdate=July 8, 2023}} On July 25, 2014, it was estimated that 8,494 machines had been infected by newGOZ.{{cite web|archive-url=https://web.archive.org/web/20230708053303/https://www.csoonline.com/article/548090/data-protection-new-gameover-zeus-botnet-keeps-growing-especially-in-the-us.html|url-status=live|archive-date=July 8, 2023|url=https://www.csoonline.com/article/548090/data-protection-new-gameover-zeus-botnet-keeps-growing-especially-in-the-us.html|title=New Gameover Zeus botnet keeps growing, especially in the US|website=CSO Online|date=August 14, 2014|first=Lucian|last=Constantin|accessdate=July 8, 2023}} Other GOZ variants, including "Zeus-in-the-Middle", which targets mobile phones, have been reported as well.{{cite web|archive-url=https://web.archive.org/web/20220307215432/https://www.cybereason.com/blog/the-fbi-vs-gameover-zeus-why-the-dga-based-botnet-wins|url-status=live|archive-date=March 7, 2022|url=https://www.cybereason.com/blog/the-fbi-vs-gameover-zeus-why-the-dga-based-botnet-wins|title=The FBI vs. GameOver Zeus: Why The DGA-Based Botnet Wins|website=Malicious Life by Cybereason|date=July 1, 2015|first=Lital|last=Asher-Dotan|accessdate=July 23, 2023}} As of 2017, variants of Zeus constitute 28% of all banking malware.{{cite journal|date=July 2019|first1=Ali|last1=Gezer|first2=Gary|last2=Warner|first3=Clifford|last3=Wilson|first4=Prakash|last4=Shrestha|volume=84|journal=Computers & Security|page=180|title=A flow-based approach for Trickbot banking trojan detection|doi=10.1016/j.cose.2019.03.013|issn=0167-4048|oclc=8027301558|s2cid=88494516}} However, Sandee has claimed that much of Zeus's market share is being taken away by newer malware.{{sfn|Sandee|2015|p=5}}

• Timeline of computer viruses and worms

Similar Russian and Eastern European cybercrime groups:

• Avalanche, used botnets and email spam
• Berserk Bear, advanced persistent threat known to employ cybercriminals
• REvil, employed ransomware

Similar botnets:

• Conficker, an extremely prolific botnet at its peak
• Sality, another peer-to-peer botnet
• Torpig, another botnet spread through Trojan horses
• Tiny Banker Trojan, derived from Zeus
• ZeroAccess botnet, also P2P and spread via Trojans

{{notelist}}

{{refbegin}}

• {{cite tech report|last1=Andriesse|first1=Dennis|last2=Bos|first2=Herbert|date=April 10, 2014|title=An Analysis of the Zeus Peer-to-Peer Protocol|url=https://danielandriesse.com/papers/zeus-tech-report-2013.pdf|location=Amsterdam|publisher=Vrije Universiteit Amsterdam|id=IR-CS-74|s2cid=211256684}}
• {{cite conference|url=https://net.cs.uni-bonn.de/fileadmin/user_upload/plohmann/2013-MALWARE-goz.pdf|location=Fajardo|date=October 22–24, 2013|first1=Dennis|last1=Andriesse|first2=Christian|last2=Rossow|first3=Brett|last3=Stone-Gross|first4=Daniel|last4=Plohmann|first5=Herbert|last5=Bos|publisher=IEEE|book-title=2013 8th International Conference on Malicious and Unwanted Software: "The Americas"|conference=International Conference on Malicious and Unwanted Software|pages=116–123|title=Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus|doi=10.1109/MALWARE.2013.6703693|isbn=978-1-4799-2534-6|s2cid=18391912}}
• {{cite conference|location=Helsinki|date=August 20–22, 2015|first1=Najla|last1=Etaher|first2=George R.S.|last2=Weir|first3=Mamoun|last3=Alazab|publisher=IEEE|book-title=2015 IEEE Trustcom/BigDataSE/ISPA|conference=IEEE International Conference on Trust, Security and Privacy in Computing and Communications|pages=1386–1391|title=From ZeuS to Zitmo: Trends in Banking Malware|doi=10.1109/Trustcom.2015.535|isbn=978-1-4673-7952-6|s2cid=2703081|oclc=8622928059|url=https://strathprints.strath.ac.uk/54485/1/Etaher_etal_IEEE_TrustCom_2015_From_ZeuS_to_Zitmo_Trends_in_banking.pdf}}
• {{cite conference|location=Scottsdale, AZ|date=April 25–27, 2017|first1=Alice|last1=Hutchings|first2=Richard|last2=Clayton|publisher=IEEE|book-title=2017 APWG Symposium on Electronic Crime Research (eCrime)|conference=Symposium on Electronic Crime Research|pages=33–40|title=Configuring Zeus: A case study of online crime target selection and knowledge transmission|isbn=978-1-5386-2702-0|doi=10.1109/ECRIME.2017.7945052|eissn=2159-1245|s2cid=17267709|oclc=7086673477|url=https://www.cl.cam.ac.uk/~rnc1/configuringzeus.pdf}}
• {{cite book|last=Karuppayah|first=Shankar|year=2018|title=Advanced Monitoring in P2P Botnets: A Dual Perspective|series=SpringerBriefs on Cyber Security Systems and Networks |location=Singapore|publisher=Springer|isbn=978-981-10-9049-3|eissn=2522-557X|issn=2522-5561|oclc=1036733978|doi=10.1007/978-981-10-9050-9|s2cid=1919346|lccn=2018940630|ol=20903258W}}
• {{cite speech|last1=Peterson|first1=Elliott|last2=Sandee|first2=Michael|last3=Werner|first3=Tillmann|title=GameOver Zeus: Badguys And Backends|event=Black Hat Briefings|date=August 5, 2015|location=Las Vegas|url=https://www.youtube.com/watch?v=KkEVwswqIBs|access-date=May 7, 2023|archive-url=https://web.archive.org/web/20230331070800/https://www.youtube.com/watch?v=KkEVwswqIBs|archive-date=March 31, 2023|url-status=live}} {{via|text=Full speech|YouTube}}
• {{cite conference|first=Michael|last=Sandee|conference=Black Hat Briefings|title=GameOver ZeuS: Backgrounds on the Badguys and the Backends|url=https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends-wp.pdf|location=Las Vegas|date=August 5, 2015}}
• {{cite book|last=Wolff|first=Josephine|year=2018|title=You'll See This Message When It Is Too Late: The Legal and Economic Aftermath of Cybersecurity Breaches|series=Information Policy Series|location=Cambridge, MA|publisher=The MIT Press|doi=10.7551/MITPRESS/11336.001.0001 |isbn=978-0-262-03885-0|oclc=1029793778|s2cid=159378060|ol=20186685W|lccn=2018010219}}

{{refend}}

• [https://www.fbi.gov/wanted/cyber/evgeniy-mikhailovich-bogachev Wanted poster of Bogachev]
• [https://www.justice.gov/sites/default/files/opa/legacy/2014/06/02/pittsburgh-indictment.pdf Indictment of Bogachev for ZeuS-facilitated crimes]

{{Hacking in the 2010s}}

Category:Botnets

Category:Email spammers

Category:Peer-to-peer computing

Category:Windows trojans

Category:Hacking in the 2010s