Vulnerabilities / Threats
6/3/2014
01:56 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Cleaning Up After GOZeus Takedown

Public-private effort shows signs of improvement, but these types of actions are fleeting.

Security pundits are pointing to yesterday's GOZeus takedown as a good example of how the sophistication of public-private partnerships to bring cybercriminals to justice is increasing. But at the same time, many experts believe that ultimately industry must do a better job cleaning up its side of the fence because the affects of takedowns, arrests, and government actions are fleeting at best.

According to Adam Meyers, vice president of intelligence at CrowdStrike, one of a handful of security vendors that helped the Department of Justice (DOJ) carry out this action, Operation Tovar was the culmination of months of effort between not just the DOJ and industry players, but also between foreign governments and law enforcement agencies.

"This really speaks to the partnership between industry and public sector in being able to pull it all together. Law enforcement has really figured out how to leverage a lot of the technical expertise of industry and to work harmoniously to really attack a complex problem," Meyers says. "They've gotten into a pretty good groove with working with industry."

Meyers points to legal documents that had to be filed, technical coordination to develop enough information to create a complaint and find the culprit for the arrest, plus coordination with ISPs and other industry players to make the takedown happen through redirection of IPs, seizing of domains and so on.

"I think for the variants of CryptoLocker these guys were behind, we've significantly disrupted the ability for this group to distribute that version," he says.

However, other security pundits warn that the affects will be limited and will only last so long.

"One thing to keep in mind is that it's not really CryptoLocker that's being eradicated, it's just one of the delivery mechanisms," says Andrew Hay, research leader at OpenDNS. "In all likelihood, this is going to pop up again in a matter of days, weeks, or months and it's going to be harder to detect and they're going to be far more careful this time, especially if it's the same organization."

It's what Dr. Mike Lloyd, CTO of RedSeal Networks calls security's "cockroach problem."

"Killing one of these just means there will be another one along soon. We will continue to see more botnets, more takedowns -- a repeating cycle -- until the bad guys find this is no longer an easy way to get what they are after," he says. "As long as we are easy targets who are cheap to compromise, attackers will exploit our weakness. Our current security defenses are generally weak, haphazard, and full of gaps, so we shouldn't be surprised when the petri dish of the Internet produces interesting new maladies."

For example, since CryptoLocker made its debut it has been followed up by a whole laundry list of copycat encryption ransomware that copied and refined its methods.

"They're all very similar where they'll connect to a command and control going to a known, dynamically generated domain or now they're varying by switching between IP addresses and basically using the same underlying methodology with different encryption algorithms," Hay says.

What's more, for CryptoLocker itself, Hay says that considering in the first month alone it generated $27 million in earnings, there are deep pockets to pay developers for "rapid development and refactoring."

Which is why it will be important for enterprises to at very least heed DOJ advice to quickly look for evidence of current GoZeus infection and avoid being easily re-compromised once the bad guys retool for a new botnet and take advantage of already existing hooks into previously infected machines.

A number of antivirus companies are offering automated tools to help with clean-up, though some forensics pros recommend enterprises do deeper manual inspection to ensure total clean-up.

"Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign," says Lucas Zaichkowsky, enterprise defense architect for AccessData. "For organizations with security staff, I recommend learning how to do manual analysis so incidents can be fully investigated to uncover what their existing products aren’t telling them."

Unfortunately, for some organizations, it may be too late for clean-up. 

"Those who are encrypted are in a world of hurt and they probably can't even buy their way out of the problem now," Hay says. "If your data is already encrypted, this takedown is likely going to cause you even more grief because you won't be able to pay to have it decrypted."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EChickowski921
50%
50%
EChickowski921,
User Rank: Apprentice
6/5/2014 | 1:36:29 PM
Re: Cooperation
I think industry and law enforcement are working well together in U.S., the bigger barrier is between international agencies.
Kwattman
50%
50%
Kwattman,
User Rank: Apprentice
6/4/2014 | 2:38:02 PM
Tovar takedown
Great article and love the cockroach anaology. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 10:39:26 AM
Cooperation
Good story, Erica. It's encouraging to read about even a few small signs of public-private cooperation to take down the bad guys behind GoZeus and Cryptlocker and other types of ransomwhere. What do you think is standing in the way of greater partnerships between indusry and law enforcement? 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.