It’s ‘Game Over’ for Zeus and CryptoLocker

[Ex_Brit]

Under Operation Tovar, global law enforcement—in conjunction with the private sector and McAfee—has launched an action to dismantle the Gameover Zeus and CryptoLocker infrastructure. Disrupting the criminal infrastructure by taking control of the domains that form part of the communications network provides a rare window for owners of infected systems to remove the malware and take back control of their digital lives.

If you, or anybody you know, receive a notification from your Internet service provider, then please do not ignore it. Use the removal tool to delete the malware from your system, and ensure you have appropriate protection to prevent future infections.

The removal tool is available at the following URL:

http://www.mcafee.com/stinger

We anticipate the criminal infrastructure of both Gameover Zeus and CryptoLocker will re-establish operations as quickly as they can. Thus you need to take action quickly.

 

Read more at:

 

http://blogs.mcafee.com/mcafee-labs/game-zeus-cryptolocker

 

[jaclaz]

I don't get it.

I cannot say anything about GameOver Zeus.

 

But Cryptolocker is not AFAIK in any way "stealth", once (if) you are infected by it, it will quickly encrypt all your data, so it is not something that you may have already got and have unknowingly on your PC, IF you get it you are pretty much pwned immmediately or so.

 

jaclaz

[Tripredacus]

I've also come across supposed "scareware" news stories about this bug. Something not about how the C&Cs were taken by law enforcement, but that some specific day to come will lock users out of their computers. At least users in the UK (from this unfortunately titled Reg article) have only 2 weeks to clean their PC before some unforseen doom happens.

http://www.theregister.co.uk/2014/06/02/nca_gameoverzeus_cryptolocker_warning/

[jaclaz]

And these confirm:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24786/en_US/McAfee_Labs_Threat_Advisory_Ransom_Cryptolocker.pdf

http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99&tabid=2

how, if cryptolocker cannot connect to his (hardcoded, main) "home server", it tries to connect to a "random" domain to transmit the AES encryption key.

 

Maybe the good NCA guys managed to block the  184.164.136.134 and all the generated domains, but all the authors of the malware have to do is to procure a bunch of new domains, and modify the binary, and re-infect files on the web.

 

I am failing to see how the "two weeks" can be estimated.

 

Seemingly the peeps from OpenDNS have reversed engineer the DGA algorithm:

http://www.opendns.com/enterprise-security/products/cryptolocker-containment-is-the-new-prevention/

http://info.opendns.com/rs/opendns/images/DS-OpenDNS-Combating-Ransomware.pdf

and claim that if you use such a DNS "Umbrella", the malware is prevented from connecting to any of the generated domains, it is possible that the NCA used a similar approach.

 

jaclaz 

[Ex_Brit]

The creep who controls Cryptolocker has probablhy started up again anyway elsewhere.   Russian and Ukrainian authorities never caught him, assuming they were trying to.