Posts Tagged: Cryptolocker


9
Jun 14

Backstage with the Gameover Botnet Hijackers

When you’re planning to rob the Russian cyber mob, you’d better make sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Today’s column features an interview with two security experts who helped plan and execute last week’s global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from banks, businesses and consumers worldwide.

Gameover infections on June 4. Source: Shadowserver.org

Gameover infections on June 4, 2014. Source: Shadowserver.org

Neither expert I spoke with wished to be identified for this story, citing a lack of permission from their employers and a desire to remain off the radar of the crooks inconvenienced by the action. For obvious reasons, they were also reluctant to share details about the exact weaknesses that were used to hijack the botnet, focusing instead on the planning and and preparation that went into this effort.

GAMEOVER ZEUS PRIMER

A quick review of how Gameover works should help readers get more out of the interview. In traditional botnets, infected PCs report home to and are controlled by a central server. But this architecture leaves such botnets vulnerable to disruption or takeover if authorities or security experts can gain access to the control server.

Gameover, on the other hand, is a peer-to-peer (P2P) botnet designed as a collection of small networks that are distinct but linked up in a decentralized fashion. The individual Gameover-infected PCs are known as “peers.” Above the peers are a select number of slightly more powerful and important infected systems that are assigned roles as “proxy nodes,” meaning they were selected from the peers to serve as relay points for commands coming from the Gameover botnet operators and as conduits for encrypted data stolen from the infected systems.

The basic network structure of the Gameover botnet. Source: FBI

The basic network structure of the Gameover botnet. Source: FBI

The Gameover botnet code also includes a failsafe mechanism that can be invoked if the botnet’s P2P communications system fails, whether the failure is the result of a faulty malware update or because of a takedown effort by researchers/law enforcement. That failsafe is a domain generation algorithm (DGA) component that generates a list of 1,000 domain names each week (gibberish domains that are essentially long jumbles of letters) combined with one of six top-level domains; .com, .net, .org, .biz, .info and .ru. In the event the infected Gameover systems can’t get new instructions from their peers, the code instructs the botted systems to seek out domains from the latest list of 1,000 domains generated by the DGA until it finds a site with new instructions.

HUNDREDS OF ‘WEB INJECTS’

The Gameover malware was designed specifically to defeat two-factor authentication used by many banks. It did so using a huge collection of custom-made scripts known as “Web injects” that can inject custom content into a Web browser when the victim browses to certain sites — such as a specific bank’s login page. Web injects also are used to prompt the victim to enter additional personal information when they log in to a trusted site. An example of this type of Web inject can be seen in the video below, which shows an inject designed for Citibank customers. Continue reading →


2
Jun 14

‘Operation Tovar’ Targets ‘Gameover’ ZeuS Botnet, CryptoLocker Scourge

The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes.

This graphic, from 2012, shows the decentralized nature of P2P network connectivity of 23,196 PCs infected with Gameover.  Image: Dell SecureWorks

This graphic, from 2012, shows the decentralized nature of P2P network connectivity of 23,196 PCs infected with Gameover. Image: Dell SecureWorks

The sneak attack on Gameover, dubbed “Operation Tovar,” began late last week and is a collaborative effort by investigators at the FBI, Europol, and the UK’s National Crime Agency; security firms CrowdStrike, Dell SecureWorks, SymantecTrend Micro and McAfee; and academic researchers at VU University Amsterdam and Saarland University in Germany. News of the action first came to light in a blog post published briefly on Friday by McAfee, but that post was removed a few hours after it went online.

Gameover is based on code from the ZeuS Trojan, an infamous family of malware that has been used in countless online banking heists. Unlike ZeuS — which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend — Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine.

Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts. According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers.

The curators of Gameover also have reportedly loaned out sections of their botnet to vetted third-parties who have used them for a variety of purposes. One of the most popular uses of Gameover has been as a platform for seeding infected systems with CryptoLocker, a nasty strain of malware that locks your most precious files with strong encryption until you pay a ransom demand.

According to a 2012 research paper published by Dell SecureWorks, the Gameover Trojan is principally spread via Cutwail, one of the world’s largest and most notorious spam botnets (for more on Cutwail and its origins and authors, see this post). These junk emails typically spoof trusted brands, including shipping and phone companies, online retailers, social networking sites and financial institutions. The email lures bearing Gameover often come in the form of an invoice, an order confirmation, or a warning about an unpaid bill (usually with a large balance due to increase the likelihood that a victim will click the link). The links in the email have been replaced with those of compromised sites that will silently probe the visitor’s browser for outdated plugins that can be leveraged to install malware.

It will be interesting to hear how the authorities and security researchers involved in this effort managed to gain control over the Gameover botnet, which uses an advanced peer-to-peer (P2P) mechanism to control and update the bot-infected systems. Continue reading →


6
Nov 13

CryptoLocker Crew Ratchets Up the Ransom

Last week’s article about how to prevent CryptoLocker ransomware attacks generated quite a bit of feedback and lots of questions from readers. For some answers — and since the malware itself has morphed significantly in just a few day’s time — I turned to Lawrence Abrams and his online help forum BleepingComputer.com, which have been following and warning about this scourge for several months.

This message is left by CryptoLocker for victims whose antivirus software removed the file needed to pay the ransom.

This message is left by CryptoLocker for victims whose antivirus software removes the file needed to pay the ransom.

To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment via Bitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backwards from 72 hours. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.

Or, at least, that’s how it worked up until a few days ago, when the crooks behind this scam began easing their own rules a bit to accommodate victims who were apparently willing to pay up but simply couldn’t jump through all the hoops necessary in the time allotted.

“They realized they’ve been leaving money on the table,” Abrams said. “They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back.”

Part of the problem, according to Abrams, is that few victims even know about Bitcoins or MoneyPak, let alone how to obtain or use these payment mechanisms.

“We put up survey and asked how many [victims] had paid the ransom with Bitcoins, and almost no one said they did, Abrams said. “Most paid with MoneyPak. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.”

Another major stumbling block that prevents many otherwise willing victims from paying the ransom is, ironically, antivirus software that detects CryptoLocker — but only after the malware has locked the victim’s most prized files with virtually uncrackable encryption.

“Originally, when antivirus software would clean a computer, it would remove the CryptoLocker infection, which made it so the user could not pay the ransom,” Abrams said. “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”

The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation. Abrams that said his testing has shown that as long as the registry key “HKCU\Software\Cryptolocker_0388″ remains in the Windows registry, re-downloading the malware would not try to re-encrypt the already encrypted data — although it would encrypt any new files added since the initial infection.

“Some antivirus companies have been telling victims not to pay the ransom,” Abrams said. “On the one hand, I get it, because you don’t want to encourage these malware writers. But on the other hand, there are some companies that are facing going out of business if they don’t, and can’t afford to take the holier-that-thou route.”

CRYPTOLOCKER DECRYPTION SERVICE

On Friday, Nov. 1, the crooks behind this malware campaign launched a “customer service” feature that they have been promising to debut for weeks: a CryptoLocker Decryption Service. “This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.

“They’re calling it an ‘order,’ as if victims posted an order at Amazon.com,” Abrams said.

The "Cryptolocker Decryption Service."

The “Cryptolocker Decryption Service.”

“If you already purchased private key using CryptoLocker, then you can download private key and decrypter for free,” explains the service, which is currently hosted at one of several addresses on the Tor anonymity network. The decryption service site is not reachable from the regular Internet; rather, victims must first download and install special software to access the site — yet another potential hurdle for victims to jump through.

According to Abrams, victims who are still within the initial 72-hour countdown clock can pay the ransom by coughing up two Bitcoins — or roughly $200 using a MoneyPak order. Victims who cannot pay within 72 hours can still get their files back, but for that unfortunate lot the ransom rises fivefold to 10 bitcoins — or roughly USD $2,232 at current exchange rates. And those victims will no longer have the option to pay the ransom via MoneyPak.

Abrams said the service exposes two lies that the attackers have been perpetuating about their scheme. For starters, the bad guys have tried to dissuade victims from rolling back their system clocks to buy themselves more time to get the money together and pay the ransom. According to Abrams, this actually works in many cases to delay the countdown timer. Secondly, the launch of the Cryptolocker Decryption Service belies the claim that private keys needed to unlock files encrypted by CryptoLocker are deleted forever from the attacker’s servers after 72 hours.

Continue reading →


1
Nov 13

How To Avoid CryptoLocker Ransomware

Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,”  the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

A Cryptolocker prompt and countdown clock. Photo: Malwarebytes.org

A CryptoLocker prompt and countdown clock. Image: Malwarebytes.org

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).

File-encrypting malware is hardly new. This sort of diabolical threat has been around in various incarnations for years, but it seems to have intensified in recent months. For years, security experts have emphasized the importance of backing up one’s files as a hedge against disaster in the wake of a malware infestation. Unfortunately, if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well.

Computers infected with CryptoLocker may initially show no outward signs of infection; this is because it often takes many hours for the malware to encrypt all of the files on the victim’s PC and attached or networked drives. When that process is complete, however, the malware will display a pop-up message similar to the one pictured above, complete with a countdown timer that gives victims a short window of time in which to decide whether to pay the ransom or lose access to the files forever.

Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit — a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Continue reading →