Vulnerabilities / Threats
6/3/2014
01:56 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Cleaning Up After GOZeus Takedown

Public-private effort shows signs of improvement, but these types of actions are fleeting.

Security pundits are pointing to yesterday's GOZeus takedown as a good example of how the sophistication of public-private partnerships to bring cybercriminals to justice is increasing. But at the same time, many experts believe that ultimately industry must do a better job cleaning up its side of the fence because the affects of takedowns, arrests, and government actions are fleeting at best.

According to Adam Meyers, vice president of intelligence at CrowdStrike, one of a handful of security vendors that helped the Department of Justice (DOJ) carry out this action, Operation Tovar was the culmination of months of effort between not just the DOJ and industry players, but also between foreign governments and law enforcement agencies.

"This really speaks to the partnership between industry and public sector in being able to pull it all together. Law enforcement has really figured out how to leverage a lot of the technical expertise of industry and to work harmoniously to really attack a complex problem," Meyers says. "They've gotten into a pretty good groove with working with industry."

Meyers points to legal documents that had to be filed, technical coordination to develop enough information to create a complaint and find the culprit for the arrest, plus coordination with ISPs and other industry players to make the takedown happen through redirection of IPs, seizing of domains and so on.

"I think for the variants of CryptoLocker these guys were behind, we've significantly disrupted the ability for this group to distribute that version," he says.

However, other security pundits warn that the affects will be limited and will only last so long.

"One thing to keep in mind is that it's not really CryptoLocker that's being eradicated, it's just one of the delivery mechanisms," says Andrew Hay, research leader at OpenDNS. "In all likelihood, this is going to pop up again in a matter of days, weeks, or months and it's going to be harder to detect and they're going to be far more careful this time, especially if it's the same organization."

It's what Dr. Mike Lloyd, CTO of RedSeal Networks calls security's "cockroach problem."

"Killing one of these just means there will be another one along soon. We will continue to see more botnets, more takedowns -- a repeating cycle -- until the bad guys find this is no longer an easy way to get what they are after," he says. "As long as we are easy targets who are cheap to compromise, attackers will exploit our weakness. Our current security defenses are generally weak, haphazard, and full of gaps, so we shouldn't be surprised when the petri dish of the Internet produces interesting new maladies."

For example, since CryptoLocker made its debut it has been followed up by a whole laundry list of copycat encryption ransomware that copied and refined its methods.

"They're all very similar where they'll connect to a command and control going to a known, dynamically generated domain or now they're varying by switching between IP addresses and basically using the same underlying methodology with different encryption algorithms," Hay says.

What's more, for CryptoLocker itself, Hay says that considering in the first month alone it generated $27 million in earnings, there are deep pockets to pay developers for "rapid development and refactoring."

Which is why it will be important for enterprises to at very least heed DOJ advice to quickly look for evidence of current GoZeus infection and avoid being easily re-compromised once the bad guys retool for a new botnet and take advantage of already existing hooks into previously infected machines.

A number of antivirus companies are offering automated tools to help with clean-up, though some forensics pros recommend enterprises do deeper manual inspection to ensure total clean-up.

"Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign," says Lucas Zaichkowsky, enterprise defense architect for AccessData. "For organizations with security staff, I recommend learning how to do manual analysis so incidents can be fully investigated to uncover what their existing products aren’t telling them."

Unfortunately, for some organizations, it may be too late for clean-up. 

"Those who are encrypted are in a world of hurt and they probably can't even buy their way out of the problem now," Hay says. "If your data is already encrypted, this takedown is likely going to cause you even more grief because you won't be able to pay to have it decrypted."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EChickowski921
50%
50%
EChickowski921,
User Rank: Apprentice
6/5/2014 | 1:36:29 PM
Re: Cooperation
I think industry and law enforcement are working well together in U.S., the bigger barrier is between international agencies.
Kwattman
50%
50%
Kwattman,
User Rank: Apprentice
6/4/2014 | 2:38:02 PM
Tovar takedown
Great article and love the cockroach anaology. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 10:39:26 AM
Cooperation
Good story, Erica. It's encouraging to read about even a few small signs of public-private cooperation to take down the bad guys behind GoZeus and Cryptlocker and other types of ransomwhere. What do you think is standing in the way of greater partnerships between indusry and law enforcement? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.