Just before Tillmann Werner flies to United States, he noticed a server that FBI agents missed. “That was already caustic,” he says today. Only “out of a whim” did he search internet again with colleagues for specially configured servers-ways in which criminal hackers could try to defend mselves against takeover by American federal Police.

In fact, it was found. A month-long planned action, spread across two continents to help a network of criminal hackers to tap ir digital tools: it threatens to fail because of an avoidable error.

Tillmann Werner is a security researcher and helps investigators like FBI.

(Photo: OH)

Werner gets on plane, it’s mid-2014, he’s on his way to Pittsburgh, USA, and writes on programming code right away. 90 000 lines, he and or four IT security researchers he created at end of deployment altoger.

Damage of at least 150 million dollars

With this code, investigators of FBI can cripple “Gameover Zeus,” a formidable botnet that, according to authority, had controlled more than a million computers. In this way, y are able to make one of most notorious criminal gangs in network sensitive. The hackers, according to investigators, have caused a damage of at least 150 million dollars. Werner ensured that technical side of FBI counter-attack was flawless.

IT security experts explain complex technical terms in a language brimming with allegories. A botnet describe it as a relationship between a ruler and his slaves. A classic botnet infects computers and distributes commands centrally, via one server to anor. This technical infrastructure was immediately “burned”, i.e. publicly known, as 38-year-old says: “There are more than a hundred thousand computers infected”. To turn off nets, police officers can try to take se servers off Internet.

How a botnet works In a large-scale action, investigators have arguably largest infrastructure for this weapon from criminals. But what is a botnet at all? By Simon Hurtz and Marvin Strathmann more… if (typeof AdController !== ‘undefined’) { AdController.render(‘iqadtile4’); } if (typeof window.performance === ‘object’ && typeof window.performance.mark === ‘function’) { window.performance.mark(‘monitor_iqadtile4_render’); } if (typeof SDE.init.initIQAdTile !== ‘undefined’) { SDE.init.initIQAdTile(‘full’, ‘iqadtile4’, false); }

Botnets like Gameover Zeus are even more complex. Instead of receiving commands via central Web pages, computers communicate primarily with each or and distribute data. It is more difficult to cap this decentralized communication that runs without hierarchy. Security researchers need to get infected computers to accept commands from anor central location– researchers mselves–only n can y disable botnet.

They make mselves new ruler of servants. The hackers ‘ central servers still exist, but remain in background. Criminals can try to launch counter-attack, build emergency communications, and regain control of security researchers.

“I’m going to get five million in a Heartbeat”

The strategy of criminals, which Werner wants to cross, goes like this: malicious software infects hacker computers, for example with a mail attachment. Anyone who opens it installs ir programs without noticing it. The next time you call a bank Web page, hackers change ir appearance, for example. The victims give even more information about mselves price that land with hackers. Also, login data have se now because y log each typed word.

As soon as owners log into ir bank account online, and six-or seven-digit sums have been deposited on this account, hackers access m. “They said, ‘ I’m going to get five million in a heartbeat. ‘ But of course, internal banking system will n alert, “Werner says.

To distract bank, hackers are refore launching an additional distributed denial of service (DDoS) attack. The bank’s servers are flooded with requests. This attack deals with IT department, no one registers expensive transaction. The referral goes through, criminal creams off.

A shadow hunted for years

On phone, a participating investigator tells him that it felt like y were chasing a shadow for years. “It’s hard to figure out who is running a botnet because se people are very much worth keeping anonymous,” says man who cannot be named. Sometimes, however, you would make mistakes. Then you can strike. “These people have a normal life and a criminal life. My job is to find point where both lives overlap. “

To find out something about normal life of hacker, investigators are far away for years, y only know his many online pseudonyms: “Slavik” is one of m. For this, agents are very well acquainted with his criminal life, namely preferred hacking methods of “Business Club”, as group called Gameover Zeus used and whose boss is Slavik. Years later, IT security researchers at Fox-it will find in painstakingly small work that Slavik can be contacted with an e-mail address that ultimately leads to a real name: Yevgeny Mikhailovich Bogatschow.

When Werner talks about Bogatschow, he calls his approach “extraordinary”, sometimes he speaks of a criminal organization that can be described as a mafia. Obviously, Werner appreciates technical skills of man whose work he has destroyed. A equal opponent.