This article is from the source 'nytimes' and was first published or seen on . It last changed over 40 days ago and won't be checked again for changes.

You can find the current article at its original source at http://www.nytimes.com/2014/06/03/world/europe/battling-destructive-computer-viruses-agents-seize-networks-used-by-hackers.html

The article has changed 6 times. There is an RSS feed of changes available.

Version 3 Version 4
Battling Destructive Computer Viruses, Agents Seize Networks Used by Hackers Secret Global Strike Kills 2 Malicious Web Viruses
(about 3 hours later)
WASHINGTON — Government agents seized control of two computer networks that are used by hackers to steal banking information and lock files on infected computers, officials in the United States and Europe said Monday, disrupting the circulation of two of the world’s most pernicious viruses, which have infected millions of computers worldwide. WASHINGTON — Federal agents over the weekend secretly seized control of two computer networks that hackers used to steal millions of dollars from unsuspecting victims. In doing so, the Justice Department disrupted the circulation of two of the world’s most pernicious viruses and turned a 30-year-old Russian computer hacker into a most-wanted fugitive.
The coordinated strike targeted malware known as GameOver Zeus, which is known to steal bank information and send it to overseas hackers, and CryptoLocker, which burrows into computers and encrypts personal data. The hackers then demand a ransom to unlock the files. The strike, coordinated with the European authorities, was aimed at malware called GameOver Zeus, which is known to steal bank information and send it to overseas hackers, and CryptoLocker, which burrows into computers and encrypts personal data. The hackers then demand a ransom to unlock the files.
Over the weekend, government agents in Europe and the United States took control of the servers that operated the attacking software and identified a 30-year-old suspect from Russia, Evgeniy Bogachev, also known as Lucky12345, as the man behind the attacks, according to court documents. “By the time the victims learned that their computers had been infected, it was far too late,” Leslie R. Caldwell, the assistant attorney general in charge of the criminal division, said Monday.
The Justice Department held a news conference Monday afternoon to discuss the operation. Europol, the European Union’s police intelligence agency, said Mr. Bogachev would be placed on the F.B.I.'s list of most-wanted cyber criminals, beside the Chinese officials whom the United States accused last month of economic espionage. Together, the Justice Department estimates, the two malicious programs have infected between 500,000 and a million computers and cost people more than $100 million in direct and indirect losses.
GameOver Zeus operated without warning. When someone on an infected computer logged into a bank account, the software recorded the password. Armed with that information, hackers wired themselves money from that account. Often they stole more than $1 million at a time from businesses, prosecutors said, with at least one theft exceeding $6 million. Authorities had been investigating the two viruses separately, but along the way, they realized that GameOver Zeus was the main vehicle by which CryptoLocker was spread, the Justice Department said.
“By the time the victims learned that their computers had been infected, it was far too late,” said Leslie R. Caldwell, an assistant attorney general. They also determined that the operations were run by the same man, whom the Justice Department identified as Evgeniy M. Bogachev, of Anapa, Russia. Investigators were hunting for him even before they knew his name. Inside the F.B.I., he has long been one of the government’s most sought-after individual cybercriminals, through his screen name, Lucky12345.
CryptoLocker, a piece of software known as ransomware, has been spreading since last year. Once it infects a computer, the software searches for personal files, then encrypts them, making them inaccessible without a code. While both pieces of software are distributed through spam emails, they accomplish different things, each highly damaging.
The software then demands hundreds of dollars to unlock them. People who do not pay the ransom see their files deleted forever. Security experts say people have paid untold millions to avoid that fate. Once inside a computer, GameOver Zeus quietly tracks each keystroke. When the software detects someone logging into a bank account, it records the password. Armed with that information, hackers log in and drain the account. Often they stole more than $1 million from businesses, prosecutors said, with at least one theft exceeding $6 million.
“CryptoLocker infections are massively underreported,” said Rik Ferguson, vice president of security research for Trend Micro, which he said was one of many private security firms that worked with investigators. “Especially in business, it’s easier to pay the ransom.” CryptoLocker spreads through emails that look like they are from legitimate businesses, including fake tracking notices from FedEx and U.P.S. Once inside a network, such as a company’s computer system, the virus can spread from one computer to the next. As it spreads, the software locks up computer files behind unbreakable encryption, then demands hundreds of dollars in exchange for the code that unlocks it.
While both pieces of software are distributed through spam emails, they accomplish different things, each incredibly damaging. Investigators say many people and organizations, including the police department in Swansea, Mass., have paid to recover their files. Those who refused saw their files permanently erased. Such so-called ransomware is a growing security threat.
Once inside a computer, GameOver Zeus steals data such as the login information to personal bank accounts. It then takes control of the computer to send spam emails attacking others. The software is run across an ever-changing network of computers, not a single hub, making it difficult to shut down. Federal investigators say GameOver Zeus has cost people more than $100 million in direct and indirect losses. Investigators have targeted large malicious software networks, known as botnets, before. In 2011, the F.B.I. hijacked a command-and-control server that ran the similarly harmful Coreflood network. It then sent a shutdown command to every infected computer, effectively killing the virus in one stroke.
CryptoLocker uses emails that look like they are from legitimate businesses, including fake tracking notices from FedEx and U.P.S. Once inside a network, such as a company’s computer system, the virus can spread from one computer to the next. This weekend’s takedown, which was months in the making, was far more difficult. While CryptoLocker used a command-and-control server, GameOver Zeus did not. Instead, it relied on a decentralized structure, and it did not have a simple shutdown command.
As it spreads, the software locks up computer files and demands payment within three days. Some people have had their files deleted even after paying the ransom, according to the Department of Homeland Security. In meetings late last year, F.B.I. agents and private security experts devised a plan to outsmart the hackers. The best chance the F.B.I. had to wrest control of the network, it was decided, was by seizing all the servers that transmitted the malicious code and rerouting their traffic to a safe, government-controlled computer.
In theory, every time an infected computer asked for instructions to carry out its malicious mission, it would instead find itself harmlessly talking to the United States government.
But the GameOver Zeus servers were spread across the world. If the agents missed one infected server, the hackers could use it to restart the network and continue spreading the code.
“You don’t want to have any loose ends,” said Shawn Henry, a former top F.B.I. cyber investigator and president of CrowdStrike Services, one of several security firms that worked with government on the case. “You want it to be swift. You want it to be complete.”
Early last Friday, authorities in Canada, France, Germany, Luxembourg, Ukraine and the United Kingdom physically took over the servers that served as the backbone for GameOver Zeus and CryptoLocker, Ms. Caldwell said. All Internet traffic was then rerouted, under a court order, to the government’s safe computer.
All weekend, the agents waited and watched for signs of success. Investigators worked from command centers at F.B.I. headquarters in Washington, Europol headquarters at The Hague in the Netherlands and at the National Cyber-Forensics & Training Alliance in Pittsburgh.
One by one, computers across the world contacted the government’s safe computer, signifying that America, not the hackers, was in control of the network. With each electronic ping, the government collected the Internet addresses of the infected systems, providing a map of the worldwide infection.
By Sunday, officials said they were confident they had dismantled the network and collected enough data to help security firms and technology companies clean infected computers.
“More than 300,000 victim computers were freed from the botnet,” Ms. Caldwell said. “We expect that number to increase as additional computers are powered on and connect to the Internet this week.”
CryptoLocker similarly came under United States control, Ms. Caldwell said.
On Monday, the government unsealed court documents charging Mr. Bogachev with bank, computer and wire fraud. The F.B.I. placed Mr. Bogachev on its list of most-wanted cybercriminals.
Mr. Bogachev remains free and the United States has asked Russian authorities to turn him over. Those discussions are continuing, the Justice Department said.