Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/3/2014
01:56 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Cleaning Up After GOZeus Takedown

Public-private effort shows signs of improvement, but these types of actions are fleeting.

Security pundits are pointing to yesterday's GOZeus takedown as a good example of how the sophistication of public-private partnerships to bring cybercriminals to justice is increasing. But at the same time, many experts believe that ultimately industry must do a better job cleaning up its side of the fence because the affects of takedowns, arrests, and government actions are fleeting at best.

According to Adam Meyers, vice president of intelligence at CrowdStrike, one of a handful of security vendors that helped the Department of Justice (DOJ) carry out this action, Operation Tovar was the culmination of months of effort between not just the DOJ and industry players, but also between foreign governments and law enforcement agencies.

"This really speaks to the partnership between industry and public sector in being able to pull it all together. Law enforcement has really figured out how to leverage a lot of the technical expertise of industry and to work harmoniously to really attack a complex problem," Meyers says. "They've gotten into a pretty good groove with working with industry."

Meyers points to legal documents that had to be filed, technical coordination to develop enough information to create a complaint and find the culprit for the arrest, plus coordination with ISPs and other industry players to make the takedown happen through redirection of IPs, seizing of domains and so on.

"I think for the variants of CryptoLocker these guys were behind, we've significantly disrupted the ability for this group to distribute that version," he says.

However, other security pundits warn that the affects will be limited and will only last so long.

"One thing to keep in mind is that it's not really CryptoLocker that's being eradicated, it's just one of the delivery mechanisms," says Andrew Hay, research leader at OpenDNS. "In all likelihood, this is going to pop up again in a matter of days, weeks, or months and it's going to be harder to detect and they're going to be far more careful this time, especially if it's the same organization."

It's what Dr. Mike Lloyd, CTO of RedSeal Networks calls security's "cockroach problem."

"Killing one of these just means there will be another one along soon. We will continue to see more botnets, more takedowns -- a repeating cycle -- until the bad guys find this is no longer an easy way to get what they are after," he says. "As long as we are easy targets who are cheap to compromise, attackers will exploit our weakness. Our current security defenses are generally weak, haphazard, and full of gaps, so we shouldn't be surprised when the petri dish of the Internet produces interesting new maladies."

For example, since CryptoLocker made its debut it has been followed up by a whole laundry list of copycat encryption ransomware that copied and refined its methods.

"They're all very similar where they'll connect to a command and control going to a known, dynamically generated domain or now they're varying by switching between IP addresses and basically using the same underlying methodology with different encryption algorithms," Hay says.

What's more, for CryptoLocker itself, Hay says that considering in the first month alone it generated $27 million in earnings, there are deep pockets to pay developers for "rapid development and refactoring."

Which is why it will be important for enterprises to at very least heed DOJ advice to quickly look for evidence of current GoZeus infection and avoid being easily re-compromised once the bad guys retool for a new botnet and take advantage of already existing hooks into previously infected machines.

A number of antivirus companies are offering automated tools to help with clean-up, though some forensics pros recommend enterprises do deeper manual inspection to ensure total clean-up.

"Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign," says Lucas Zaichkowsky, enterprise defense architect for AccessData. "For organizations with security staff, I recommend learning how to do manual analysis so incidents can be fully investigated to uncover what their existing products aren’t telling them."

Unfortunately, for some organizations, it may be too late for clean-up. 

"Those who are encrypted are in a world of hurt and they probably can't even buy their way out of the problem now," Hay says. "If your data is already encrypted, this takedown is likely going to cause you even more grief because you won't be able to pay to have it decrypted."

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ericka Chickowski
50%
50%
Ericka Chickowski,
User Rank: Moderator
6/5/2014 | 1:36:29 PM
Re: Cooperation
I think industry and law enforcement are working well together in U.S., the bigger barrier is between international agencies.
Kwattman
50%
50%
Kwattman,
User Rank: Black Belt
6/4/2014 | 2:38:02 PM
Tovar takedown
Great article and love the cockroach anaology. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 10:39:26 AM
Cooperation
Good story, Erica. It's encouraging to read about even a few small signs of public-private cooperation to take down the bad guys behind GoZeus and Cryptlocker and other types of ransomwhere. What do you think is standing in the way of greater partnerships between indusry and law enforcement? 
Cybersecurity Team Holiday Guide: 2019 Gag Gift Edition
Ericka Chickowski, Contributing Writer,  12/2/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.