Vulnerabilities / Threats
6/3/2014
01:56 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Cleaning Up After GOZeus Takedown

Public-private effort shows signs of improvement, but these types of actions are fleeting.

Security pundits are pointing to yesterday's GOZeus takedown as a good example of how the sophistication of public-private partnerships to bring cybercriminals to justice is increasing. But at the same time, many experts believe that ultimately industry must do a better job cleaning up its side of the fence because the affects of takedowns, arrests, and government actions are fleeting at best.

According to Adam Meyers, vice president of intelligence at CrowdStrike, one of a handful of security vendors that helped the Department of Justice (DOJ) carry out this action, Operation Tovar was the culmination of months of effort between not just the DOJ and industry players, but also between foreign governments and law enforcement agencies.

"This really speaks to the partnership between industry and public sector in being able to pull it all together. Law enforcement has really figured out how to leverage a lot of the technical expertise of industry and to work harmoniously to really attack a complex problem," Meyers says. "They've gotten into a pretty good groove with working with industry."

Meyers points to legal documents that had to be filed, technical coordination to develop enough information to create a complaint and find the culprit for the arrest, plus coordination with ISPs and other industry players to make the takedown happen through redirection of IPs, seizing of domains and so on.

"I think for the variants of CryptoLocker these guys were behind, we've significantly disrupted the ability for this group to distribute that version," he says.

However, other security pundits warn that the affects will be limited and will only last so long.

"One thing to keep in mind is that it's not really CryptoLocker that's being eradicated, it's just one of the delivery mechanisms," says Andrew Hay, research leader at OpenDNS. "In all likelihood, this is going to pop up again in a matter of days, weeks, or months and it's going to be harder to detect and they're going to be far more careful this time, especially if it's the same organization."

It's what Dr. Mike Lloyd, CTO of RedSeal Networks calls security's "cockroach problem."

"Killing one of these just means there will be another one along soon. We will continue to see more botnets, more takedowns -- a repeating cycle -- until the bad guys find this is no longer an easy way to get what they are after," he says. "As long as we are easy targets who are cheap to compromise, attackers will exploit our weakness. Our current security defenses are generally weak, haphazard, and full of gaps, so we shouldn't be surprised when the petri dish of the Internet produces interesting new maladies."

For example, since CryptoLocker made its debut it has been followed up by a whole laundry list of copycat encryption ransomware that copied and refined its methods.

"They're all very similar where they'll connect to a command and control going to a known, dynamically generated domain or now they're varying by switching between IP addresses and basically using the same underlying methodology with different encryption algorithms," Hay says.

What's more, for CryptoLocker itself, Hay says that considering in the first month alone it generated $27 million in earnings, there are deep pockets to pay developers for "rapid development and refactoring."

Which is why it will be important for enterprises to at very least heed DOJ advice to quickly look for evidence of current GoZeus infection and avoid being easily re-compromised once the bad guys retool for a new botnet and take advantage of already existing hooks into previously infected machines.

A number of antivirus companies are offering automated tools to help with clean-up, though some forensics pros recommend enterprises do deeper manual inspection to ensure total clean-up.

"Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign," says Lucas Zaichkowsky, enterprise defense architect for AccessData. "For organizations with security staff, I recommend learning how to do manual analysis so incidents can be fully investigated to uncover what their existing products aren’t telling them."

Unfortunately, for some organizations, it may be too late for clean-up. 

"Those who are encrypted are in a world of hurt and they probably can't even buy their way out of the problem now," Hay says. "If your data is already encrypted, this takedown is likely going to cause you even more grief because you won't be able to pay to have it decrypted."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EChickowski921
50%
50%
EChickowski921,
User Rank: Apprentice
6/5/2014 | 1:36:29 PM
Re: Cooperation
I think industry and law enforcement are working well together in U.S., the bigger barrier is between international agencies.
Kwattman
50%
50%
Kwattman,
User Rank: Apprentice
6/4/2014 | 2:38:02 PM
Tovar takedown
Great article and love the cockroach anaology. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 10:39:26 AM
Cooperation
Good story, Erica. It's encouraging to read about even a few small signs of public-private cooperation to take down the bad guys behind GoZeus and Cryptlocker and other types of ransomwhere. What do you think is standing in the way of greater partnerships between indusry and law enforcement? 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?