Without knowing it, Christian Rossow began his hunt for one of the most wanted cyber criminals in the world
Quelle: Dominik Asbach
There are countless viruses, Trojans and malware programmes; every day half a million new ones are released. Some are badly programmed, clumsy and virtually ineffective, but some are dangerous cyber weapons, able to raid banks, shut down power stations, and even sabotage whole countries. Rossow is only interested in the well-programmed ones. He studies dozens of them every day, reads their codes, reads every single command line. He wants to understand how they work, how they enter external computers and how to deactivate them. He is part of a silent battle, fought with keyboards, bytes, codes and fibre optics, programmer against programmer, good against evil. One side invents the cyber weapons; the other studies their plans and tries to render them harmless. “Its a game,” he says.
He usually sits at a desk, or on a sofa, in front of a screen, which connects him to the outside world. He studies his enemies, their strategies, so he knows in advance what their next move will be. They could be teenagers or grown men, sitting somewhere in a darkened room, maybe wearing hoodies and goatees, he never knows. Most of them have probably started out just like him, programming or hacking games so they dont have to pay for them. Rossow decided early on that he wanted to be one of the good guys. A scientist – independent, conscientious, objective.
A code, written like an almost indecipherable language
He talks about how professional hackers are getting better and better, their attacks ever more targeted and clever. Whatever they cant or wont programme themselves they buy in forums on the Internet, the black market of the digital underworld. There they can also hire computers for attacks, or the access to computers, which have been connected to botnets without the knowledge of their owners. These forums are used by a work-sharing industry to offer components for digital high-performance weapons, sometimes in closed groups only accessible to paying members.
It was the middle of November 2011 when Rossow first encountered Gameover Zeus. Someone had sent him a link to an employee of a company located in the North-West of the US state of Pennsylvania which looked like it came from the employees boss. That link was used to gain access to the data and bank accounts of the company. This, it was later discovered, was Bogachevs first big raid. What they took, around $1 million, was moved to a bank account in London with the help of a series of middlemen, straw men.
Rossow didnt know this yet. The programme he discovered in his lab in the basement was unknown. Its code was written like an almost indecipherable language. It settled deep into his computer, didnt send any spam and seemed to just lurk there. On top of that it was also extremely well encrypted. But Rossow wanted to find out more about how this programme worked. He wanted to watch the weapon in action.
For weeks, he spent his days working in his grey university office, and the nights at home with his little black laptop, often until very late. He hardly slept and only rarely saw his girlfriend. Only sometimes, when the sun shone, he went for a jog to clear his mind, for half an hour
Bit by bit he began to understand the logic of this Trojan: how it communicated with other computers, how it introduced itself and built an enormous botnet. In the high security lab of his university Rossow started to build a copy of the malware to be able to make further tests. Then he came across an article in a specialist blog in Poland. Another scientist had obviously found the same Trojan, analysed it, and had come to the conclusion that it could not be cracked. Gameover Zeus was not only very fast, but its creator had given it a special kind of camouflage.
Hackers have to make a number of decisions when developing their malware, for example how infected computers are to receive crucial commands. They can deposit that information inside the code of their cyber weapons. But they can also have the computers, once taken over, be controlled by one or several other devices. The advantage of the first option is its directness and its reliability; the disadvantage is that it leaves behind traces of data that can then be followed by cyber investigators or people like Rossow. Bogachev opted for the second model. The computer sending out the Trojan used infected computers as carriers. This made Bogachev virtually invisible, a computer amongst hundreds of thousands, all constantly sending and forwarding commands.
Rossow was impressed. He had rarely seen such an elaborate weapon; the creator had made it extremely difficult for his opponents. Still, Rossow knew that every programme had a weak point. There is no such thing as a perfect code; otherwise system software such as Windows, Mac OS or Linux would be invulnerable.
One of those long nights, looking up at the dark blue sky through the window of his study at home, Rossow became convinced he had found the weak link. Bogachev did not control who joined his botnet. He had not built a reliable lock for his network. Maybe he didnt even anticipate the problem. Or maybe he was too confident and thought that his disguise was perfect.
The best Moment: A Friday evening
Rossow managed to join Bogachevs botnet undetected. Now it was his turn to watch his enemy, in disguise. If his assumptions were correct and he succeeded in disabling Bogachevs Trojans this would certainly be of interest to his professors, to producers of anti-virus software, to the big IT companies and their security branches, the German Federal Office of Criminal Investigation, Europol, maybe even the FBI. But he would not be able to do it alone. He knew it would be too much work and he knew he needed to be quick if he wanted to be first. Two people agreed to help him: one of his students and one of his long-standing colleagues.
This small team each sat in their flats in Dinslaken, Amsterdam and Düsseldorf, analysing data, and speaking through video conferences when they found something new, which often happened several times a day. After a few weeks they believed they had found a way of attacking Bogachevs weapon, and also the best moment for it: a Friday evening.
Rossow used his virus lab to find out which computers in Bogachevs botnet shared the most information with each other. These were most likely the ones Bogachev used to control his botnet. Rossow and his friends also found that any updates for Gameover Zeus were always released during the week, usually early in the morning. This meant that the cyber criminals were not working weekends and probably lived in a similar time zone to them, maybe Europe, but more probably the Ukraine or Russia. A lot of well-educated IT experts live there. In Germany they would be snapped up by big companies and given good salaries, but in Russia there just arent enough jobs for all of them
Fighting an invisible battle
On a Friday evening in May 2012, just after 5pm, Rossow was sitting in his study. There were two windows open on his computer screen, one white and one black. The white one showed the faces of the other two of his team, as tense as his own. They, in turn, were looking at the same black window on their screens, the matrix. Where others would only see a long row of numbers, letters and signs, they could see a whole world.
It had taken them almost two months to write the code for their attack. The code was designed to manipulate the connection of the computers and so find a way to break them off Bogachevs botnet, one by one. But it had to be quick. A computer automatically updates itself every 20-30 minutes. That is all the time they had. If they took longer the computers would destroy the attempt automatically. That is why they used the Internet and the computer system at Rossows university. The Internet connection at home would have been too slow.
Rossow pressed enter and waited.
The white lines on his screen started moving so quickly they began to blur. Every computer that had been broken off from Bogachev sent a line of text as confirmation. There were so many of them and it all happened incredibly quickly. At 2am that night Rossow checked the warning system one more time; everything was in order. He went to bed, happy that it had all gone to plan.
The next morning he was up early. The hackers had still not reacted. The weekend passed, then one week, then another week. Rossow was surprised. He had given Bogachev an expensive problem by breaking his control over the computers whose owners he robbed, sometimes more than once. Bogachev would be missing out on goods. On top of that, he had bought some of the elements for his weapon to infect external computers and be able to read bank account data. Now he needed new elements.
Then, three weeks after the attack, someone hacked into Rossows university and targeted their Internet connection. This was Bogachevs counter attack, expected by Rossow, and he in turn stopped his attack. Now he knew that Bogachev and his malware had a weak point. The success of the attack had made him vulnerable. The more computers are linked to a botnet, the harder it is to repair it when someone introduces a mistake; which is exactly what he had done.
The flat looked like the rooms of their youth
Within the next few days Bogachev and his people released more than twelve updates. There were some new functions. But they still hadnt recognised the weak link of their programme. That meant that Rossow and his colleagues could attack again. But this time they would need more effective weapons, a more sophisticated code, bigger computers and more server capacity.
In August 2012, Rossow asked his girlfriend to move back in with her parents temporarily. For one week he and the others transformed his flat into what looked like the rooms of their youth. During the day they sat at their laptops, documents and gummy bears all over the dining table, during the night they rolled out camping mats on the floor for a few hours sleep. They started each day early, talked about peer-to-peer-networks, bulletproof hosting and sink holing over breakfast, and continued to work on their code.
They then asked two men for help who worked for IT-security companies and whom they had met at conferences. One of them, Tillmann Werner, was now sitting at the table with them. The other, a Californian called Brett Stone-Gross, logged in through Skype in the early evenings. Stone-Gross was known to have exceptional criminal intuition, extraordinary technical abilities and very good contacts with the American National Security Agency. It had turned out that he, too, had been chasing Bogachev for a while.
At the end of the week they felt ready to launch their second attack. They found four companies willing to place several servers at their disposal. This time, they had a number of IP addresses, not just the one at the university, which made them much harder to find. Most importantly, Rossow believed that their code was significantly more refined than the last one.
Although he believed that there is no such thing as the perfect code he wanted to try to come as close to it as possible. The code is the handwriting, which reveals the programmer, showing his craftsmanship and even his personality. A code shows for example if his creator is vain: he can hide secret messages within it, references to a book or a musician. For Rossow the perfect code is elegant, free of any ornament, it makes the difficult look easy. Bogachevs code was elegant. The handwriting showed that this man had extraordinary ideas, but was still able to carry them out without adding anything superfluous. Still, Rossow believed his team could beat Bogachev.
At this time, a court in the North of the USA, almost 8,000 km away, issued the indictment against whoever was hiding behind the pseudonyms slavik, lucky12345 and Pollingsoon. The accusations included racketeering, bank fraud and violation of several computer laws.
On a Friday evening in September 2012, Rossow and his helpers launched the second attack. The progress was similar to before: Midnight, 1am, 2am, Saturday went by, then the first week, the second. They succeeded in breaking off 90% of the computers from Bogachevs predatory botnet. At the end of the second week, they realised that the hackers had revised their Trojan several times. But they still hadnt fixed the weak link.
Now Rossow had pretty much all he needed. He had wanted to know how the programme worked and why it was so successful. Now he knew. He had defeated a Trojan, which people said was invincible, twice. Proof enough. He could easily write his dissertation now. Chances were good that he would be the first scientist to really describe “Gameover Zeus”. On the other hand, he thought, such a case only crosses your path once as a scientist. Apart from the fact that a lot of people and organisations were still losing a lot of money at the hands of this Trojan every day.
The moment when the game became dangerous
In May 2013, Rossow found himself on the ground floor of a big concrete block in the middle of San Francisco, in a room with no windows, almost as cold as his virus lab. He was invited as a speaker to IEEE Security and Privacy, arguably the most important conference in the world on computer security. The worlds top researchers, detectives and investigators gather here once a year. Rossow felt blinded by the bright ceiling lights. All the rows were filled with people. About 500 had come to hear him and the others speak about “Gameover Zeus”. This was the first time a larger audience would hear what happened.
For Rossow, this was also the moment when the game became dangerous. The battle was moving from the virtual into the real world. Until now, he had just been a ghost to Bogachev, someone who had access to a university server and some knowledge about botnets. Now, he would be a German scientist, a human being with a name and a face, traceable if Bogachev wanted to find him. Rossow knew that a Firewall could provide more safety than the walls of his own home. He tried not to think about that too much and to stay calm by reminding himself that there were many others who had tried to hack Bogachevs botnet. He was only one member of a much larger group.
Rossow had just arrived back in Germany when he received an email from Brett Stone-Gross, the American from his group. Stone-Gross wrote that a man called Elliott Peterson, an FBI special agent and former marine, had heard the speech in San Francisco and got in touch. “He could use our help,” Stone-Gross said.
During the first video conference, Rossow couldnt help but feel that this case was even bigger than he had thought. Peterson was tall, muscular and had a sense of irony – not at all like those grumpy, near-silent investigators from American crime movies. His questions and answers revealed that he had been chasing Bogachev for some time, and was now working with an international army of investigators and security firms. “We are looking for a way to take away the botnet from those hackers – for good. Can you do that?” Whatever Rossows team might need, Peterson promised to provide it, if possible. It was clear that a lot would be possible, as the case was of huge importance to the US.
This time, Rossow and his group met in an old, but newly refurbished house in Bonn. One more week of sleeping on the floor. One more week of take-away meals. By now Bogachev had made sure their work would be significantly more difficult. He had reprogrammed his Trojan in a way that made it practically impossible to change the code. And to make it even harder, he had generated a kind of massive game of thimblerig, or shell game: his Trojan now generated a thousand new domains each week. This meant that their effort would have to be even bigger as they were reliant on the help of all the companies managing the domains. They would have to negotiate with them to get them to shut down all the addresses.
But at least they knew what they needed to do. They discussed, tested, adapted and wrote a new code. Once a day they received a call from Peterson checking on their progress. Whenever they needed anything, he organised it. Money was no issue. But then, when they were finally ready for the big showdown, Petersen stopped calling.
At first they still heard from him every few days, then weeks and months would go by with no contact. Rossow started to worry. Bogachevs last update was already very good. What if he used the time to perfect the Trojan even more? What if he found the mistake and eliminated it? This could, after all, happen any day. It was possible that they would miss the chance to stop him.
Two and half years after Rossow first discovered the Trojan Gameover Zeus in his lab, and one year after the FBI agent Peterson had asked them for help, Tillmann Werner and Brett Stone-Gross, Rossows friends, opened their laptops in an empty conference room in Pittsburgh. On the table in front of them were two big screens, behind them twelve FBI agents and several high-ranking US lawyers.
Rossow had to think twice
Peterson had been working obsessively towards this day. In just a few moments these two guys, a German and an American, would begin to destroy Bogachevs botnet. This was why he had asked them to come here, to a green building in the centre of town, the national cyber-defence centre of the US. And whilst their programme kept digging deeper into Bogachevs network, dismantling his weapon, dozens of investigators in Canada, Germany, France and England, and most of all in Russia and the Ukraine, started to search several houses and apartments. They arrested ten of the men who had helped Bogachev with his raids. This was all part of Petersons plan.
At just after 8am PST on that Friday morning, Stone-Gross and Werner pressed enter. Seven hours later, Rossows mobile phone began to ring. It was now late in Germany, almost 9pm, when he got the call from Tillman Werner. Rossow was sitting on a wooden bench in front of his holiday apartment reading a book. He was on vacation with his girlfriend.
When they decided who was going to make the trip to Pittsburgh, Rossow had to think twice. He was the one who had tracked Bogachev down. It was Rossow who had followed his path, got to know his personality, who had formed a picture of him. Now that everything was heading towards the big showdown, and he was in a position to finish what he had started, he was, instead, on holiday. He had been working very hard and had promised his girlfriend months ago that they would have this time together; in three weeks they would get married. Rossow actually preferred working on his own anyway. It made him nervous to have people standing behind him, watching him work. When things became difficult he couldnt deal with the distraction. And it had never mattered to him whether he was in Gelsenkirchen or Dinslaken, in Bonn or Pittsburgh. The fight against Bogachev was fought in cyber space, not a specific place on the map. All Rossow needed was his laptop and an Internet connection.
“Somethings wrong“, Werner said.
Their programme was running slow, taking a long time to infiltrate Bogachevs botnet. Much too slow. At this speed, Bogachev wouldnt have the slightest problem keeping control of the external computers. They checked everything, tried every solution they could think of. The problem must be the code. They checked that too, again and again, but they couldnt find a mistake. Now it was all up to Rossow. If he couldnt find a solution, it might mean the end of one of the most elaborate investigations in a very long time.
Rossow opened his laptop in the holiday apartment, but the Internet connection failed. He got on his bike, rode into town, and found a hotel with Wi-Fi. He sank into a sofa in the lobby and started the two programmes that he had used for the two previous attacks. Then he sat there in the twilight, half human and half shadow. The screen threw a blueish glow on his face. Rossow clicked on the black window and started searching for the spot in their code where he thought the mistake might be. Then he started writing it again. From this moment on he stopped noticing anything around him. When Rossow was finished he pressed enter and watched as their programme began to eat its way into Bogachevs network.
Three days later, a distinguished gentleman with a narrow face, a blow-dry and a moustache, stepped in front of the press, two flags behind him, the Stars and Stripes and the American Eagle. James Cole, Deputy Attorney General, had something sensational to announce. The USA, Cole said, have, with the assistance of an international search team, been able to catch one of the most experienced cyber criminals in the world. Evgeniy Mikhailovich Bogachev had created “the most complicated system of computer viruses we have ever encountered.“ With the help of Russian and Ukrainian accomplices Bogachev had infected over one million computers, including the servers of US banks. Cole said that a US court would try Bogachev for Internet and bank fraud, blackmailing, data theft and money laundering.
That afternoon Rossow talked to Werner and asked him to tell him every detail of what had happened. When he hung up the phone he thought thats it, the story is over. But since then the story has developed a life of its own. That is the reason why, five years after it all began, Rossow is now sitting in his living room, not quite certain what to make of it all. He has good reason to be proud. He did something truly extraordinary. The FBI has given him a certificate in a dark-blue faux-leather frame, which now sits on the shelf in his office at the university. Right after he finished his studies he was offered his own research group at another university. His lectures are popular. Big IT-companies invite him regularly for presentations in Nice or Silicon Valley. But every time he hears his name publicly announced he flinches. He didnt take on just any hacker, but a criminal who might be capable of anything. He fears that Bogachev might take revenge. And then, of course, there is the espionage.
Deeply hidden within Bogachevs botnet, Rossow and the others found a number of search warrants, not usually needed by digital bank robbers, and not usually found in their malware.
Does Bogachev still live in Russia?
Someone was collecting information about Georgia and the Ukraine, about Syria and Turkey, all potentially explosive stuff. Their search terms showed that they were after classified government documents, and after certain employees of foreign intelligence services. This pointed towards Russian involvement. At that time, no one else was as interested in these countries as Russias president Vladimir Putin. He had pursued a war against Georgia and their relationship was still tense. The Syrian ruler Bashar al-Assad was bombing his own people and Putin was on his side, Turkey on Europes and Americas side. And Putin was also leading a war against the Ukraine.
The data collected by Bogachevs malware pointed towards the possibility of a spy, maybe even one directly assigned by the Russian government, who had settled into Bogachevs botnet. The quality of his cyber weapon seemed to confirm such a conclusion. “I would be careful with stuff like that”, says Rossow, noting that there are so many ways to disguise yourself and set someone on the wrong track in the Internet.
Still, the American investigators, even FBI agent Peterson, speak of espionage and how Bogachev was behind this search for potentially dangerous information. In the summer of 2014, the USA asked Russia to extradite Bogachev – in vain, as there is no extradition treaty between the two countries. In February 2015, the FBI made Bogachev a wanted person, with a bounty of $3 million. It is the highest reward for capture that US agencies have ever put on a cyber criminal.
A lot of evidence suggests that Bogachev still lives in Russia, in Anapa, a spa-town of sixty thousand inhabitants on the coast of the Black Sea. He is officially listed as having an address there, an apartment in a high-rise building, with a police station only a few hundred meters away. He is there regularly, his neighbours told Russian and English journalists. They like him. They talk about how pleasant he is, and that he drives around in an old Volvo with a sticker on the car wing, an advert for computer repairs. He is also supposed to be on his yacht from time to time, which lies just off the coast. Bogachev does not seem particularly bothered about staying hidden – one of the reasons why investigators in the USA and Europe think it possible that Putins government is protecting him.
This is all pure speculation, but speculation can travel like a computer virus. Elliott Peterson, Bogachevs FBI hunter, made it all public a few months ago. At a cyber conference in Las Vegas he presented an extensive report about the hunt for Bogachev. Evidence suggested, Peterson claimed, that Gameover Zeus was used to spy from the very beginning. In the epilogue, he thanked Rossow personally.
Rossow makes a face when asked about this. Sometimes he feels as though the world has gone up in flames. As though the USA and Russia were back in the Cold War. He fears that in times like these the smallest provocation could be enough to spark an escalation. Espionage, diplomatic complications, cyber war. The whole thing has become too big for him.
He is a computer scientist. He wanted to figure something out, and do the right thing. But now it seems that no one is interested in that anymore.
Read from source