Vulnerabilities / Threats
6/3/2014
01:56 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Cleaning Up After GOZeus Takedown

Public-private effort shows signs of improvement, but these types of actions are fleeting.

Security pundits are pointing to yesterday's GOZeus takedown as a good example of how the sophistication of public-private partnerships to bring cybercriminals to justice is increasing. But at the same time, many experts believe that ultimately industry must do a better job cleaning up its side of the fence because the affects of takedowns, arrests, and government actions are fleeting at best.

According to Adam Meyers, vice president of intelligence at CrowdStrike, one of a handful of security vendors that helped the Department of Justice (DOJ) carry out this action, Operation Tovar was the culmination of months of effort between not just the DOJ and industry players, but also between foreign governments and law enforcement agencies.

"This really speaks to the partnership between industry and public sector in being able to pull it all together. Law enforcement has really figured out how to leverage a lot of the technical expertise of industry and to work harmoniously to really attack a complex problem," Meyers says. "They've gotten into a pretty good groove with working with industry."

Meyers points to legal documents that had to be filed, technical coordination to develop enough information to create a complaint and find the culprit for the arrest, plus coordination with ISPs and other industry players to make the takedown happen through redirection of IPs, seizing of domains and so on.

"I think for the variants of CryptoLocker these guys were behind, we've significantly disrupted the ability for this group to distribute that version," he says.

However, other security pundits warn that the affects will be limited and will only last so long.

"One thing to keep in mind is that it's not really CryptoLocker that's being eradicated, it's just one of the delivery mechanisms," says Andrew Hay, research leader at OpenDNS. "In all likelihood, this is going to pop up again in a matter of days, weeks, or months and it's going to be harder to detect and they're going to be far more careful this time, especially if it's the same organization."

It's what Dr. Mike Lloyd, CTO of RedSeal Networks calls security's "cockroach problem."

"Killing one of these just means there will be another one along soon. We will continue to see more botnets, more takedowns -- a repeating cycle -- until the bad guys find this is no longer an easy way to get what they are after," he says. "As long as we are easy targets who are cheap to compromise, attackers will exploit our weakness. Our current security defenses are generally weak, haphazard, and full of gaps, so we shouldn't be surprised when the petri dish of the Internet produces interesting new maladies."

For example, since CryptoLocker made its debut it has been followed up by a whole laundry list of copycat encryption ransomware that copied and refined its methods.

"They're all very similar where they'll connect to a command and control going to a known, dynamically generated domain or now they're varying by switching between IP addresses and basically using the same underlying methodology with different encryption algorithms," Hay says.

What's more, for CryptoLocker itself, Hay says that considering in the first month alone it generated $27 million in earnings, there are deep pockets to pay developers for "rapid development and refactoring."

Which is why it will be important for enterprises to at very least heed DOJ advice to quickly look for evidence of current GoZeus infection and avoid being easily re-compromised once the bad guys retool for a new botnet and take advantage of already existing hooks into previously infected machines.

A number of antivirus companies are offering automated tools to help with clean-up, though some forensics pros recommend enterprises do deeper manual inspection to ensure total clean-up.

"Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign," says Lucas Zaichkowsky, enterprise defense architect for AccessData. "For organizations with security staff, I recommend learning how to do manual analysis so incidents can be fully investigated to uncover what their existing products aren’t telling them."

Unfortunately, for some organizations, it may be too late for clean-up. 

"Those who are encrypted are in a world of hurt and they probably can't even buy their way out of the problem now," Hay says. "If your data is already encrypted, this takedown is likely going to cause you even more grief because you won't be able to pay to have it decrypted."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
6/5/2014 | 1:36:29 PM
Re: Cooperation
I think industry and law enforcement are working well together in U.S., the bigger barrier is between international agencies.
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
6/4/2014 | 2:38:02 PM
Tovar takedown
Great article and love the cockroach anaology. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 10:39:26 AM
Cooperation
Good story, Erica. It's encouraging to read about even a few small signs of public-private cooperation to take down the bad guys behind GoZeus and Cryptlocker and other types of ransomwhere. What do you think is standing in the way of greater partnerships between indusry and law enforcement? 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.