McAfee Labs

It’s ‘Game Over’ for Zeus and CryptoLocker

17
By on Jun 02, 2014

Under Operation Tovar, global law enforcement—in conjunction with the private sector and McAfee—has launched an action to dismantle the Gameover Zeus and CryptoLocker infrastructure. Disrupting the criminal infrastructure by taking control of the domains that form part of the communications network provides a rare window for owners of infected systems to remove the malware and take back control of their digital lives.

If you, or anybody you know, receive a notification from your Internet service provider, then please do not ignore it. Use the removal tool to delete the malware from your system, and ensure you have appropriate protection to prevent future infections.

The removal tool is available at the following URL:

http://www.mcafee.com/stinger

We anticipate the criminal infrastructure of both Gameover Zeus and CryptoLocker will re-establish operations as quickly as they can. Thus you need to take action quickly.

What do Gameover Zeus and CryptoLocker do?

The two are in fact very different. Once Gameover Zeus finds its way onto a victim’s computer, it attempts to steal information from the victim. It has been used successfully by cybercriminals in all manner of attacks. From the theft of online banking credentials, credit card numbers, and even the login credentials for online job boards, the trail of destruction behind Gameover Zeus has netted criminals millions of dollars. For example, in August 2012 alone one estimate suggests that more than 600,000 systems were infected, many of these in Fortune 500 firms.

Gameover Zeus is based on the original Zeus, but works differently in that it decentralizes the control system and creates a peer-based network. The malware injects itself into legitimate Windows processes to maintain persistence, and also hooks system and browser functions to inject “fake” content into a user’s browser to conceal fraudulent activity.

This method is highly effective when the criminal wants to wire out large sums of money from a business account, but needs to conceal the activity for as long as possible until the funds are gone and have posted to the criminal’s account. Variants of Gameover Zeus operate in a peer-to-peer manner, getting their updates and configurations from available hosts on the peer network—making it much more difficult to disrupt. Gameover Zeus also has a function to dynamically update the configuration file that contains the payload usually designed to steal funds from a user’s bank account.

The functionality of Gameover Zeus ranges from simple credential stealing to advanced methods that involve hijacking a victim’s bank account in real time, enabling the criminal to wire out large amounts undetected.

Victims are typically infected via spear phishing campaigns that use various browser- and web-based exploits to deliver the malware onto the target system. The actors behind Gameover Zeus are interested in financial gain; thus they target consumers and businesses with this malware.

CryptoLocker, on the other hand, is not as sneaky, and warns users that unless they hand over a sum of money the malware will encrypt the data on the system. Such ransomware provides only a short window for the user to transfer the funds to the criminals, and failure to do so will result in the files being encrypted and unusable. If your system has files that are encrypted, the Stinger removal tool will not be able to retrieve them.

CryptoLocker encrypts the files on the system and generates a pop-up demanding that the victim pay a ransom to get the private key to decrypt the files. The malware uses public key cryptography algorithms to encrypt the victim’s files. Once the victim’s machine is infected, the key is generated and the private key is sent to the criminal’s server. The malware typically gives the victim 72 hours before the CryptoLocker server is supposed to destroy the private key, making the files unrecoverable and unusable. Victims are also infected via phishing emails and botnets.

Combining global law enforcement, including the National Crime Agency (United Kingdom), the FBI, and Europol, as well as partners in the private sector, this operation will provide a unique opportunity for those who are infected to remove the infections. Victims of these malware need to take advantage of this opportunity because the criminals will attempt to re-establish their communications infrastructure as quickly as they can to continue stealing your data and money.

17 Comments

  • Ren Jame

    Is this cryptolocker associates with old Ransom virus ?. If it is, what are the basic difference in character.

  • Geoff Gunton

    I sent this request a few days ago, but i has not yet appeared in this discusion (which I think should be highlighted on your home page, such is the importance of this). If I have up to date McAfee protection, is that sufficient to catch Gameover Zeus? If not, why not?

  • dan

    Im creating a query in ePO to check for any Ransom GameOver detecions, what malware name can i add to the filter?

  • Burnsie

    Can Windows Mobile Phones be infected with Gameover Zeus?

  • Ame

    Regarding CryptoLocker, "Once the victim’s machine is infected, the key is generated and the private key is sent to the criminal’s server"

    At an enterprise level, would it be possible to retrieve the private key (that gets sent from the infected machine to the hacker’s server) from the raw log or packet cap on a UTM device such as Fortinet to use the key to decrypt the data?

  • Azfayel

    What is the detected name of Zeus or CryptoLocker binairies infected ?

  • Aslam Ansari

    If Machine is running with DAT file 7457, do we still need below McAfee user defined access protection rule,
    1. *.exe block from execute and New file creation
    [OS installed drive]\Users\[logged in user]\AppData\Roaming \*.exe [ For Windows 7]
    2. **.doc block from Write and new file creation.
    [OS installed drive]\Users\[logged in user]\AppData\Roaming \*.exe [ For Windows 7]

    Please confirm.

    • Dan Sommer

      Senior researcher Craig Schmugar replies:
      These rules offer strong generic protection against a large variety of malware, not just Zeus and CryptoLocker. They offer an additional layer of proactive protection and it is best to keep such rules enabled even after signatures have been released.

    • HI Aslam,

      Can you please share the document to create Access protection rule Zeus/Gameover/cryptolocker.

      1. *.exe block from execute and New file creation
      [OS installed drive]\Users\[logged in user]\AppData\Roaming \*.exe [ For Windows 7]
      2. **.doc block from Write and new file creation.
      [OS installed drive]\Users\[logged in user]\AppData\Roaming \*.exe [ For Windows 7]

      Regards,
      Pradeep

    • Hi Aslam,

      Please share the document to create Access protection rule.
      1. *.exe block from execute and New file creation
      [OS installed drive]\Users\[logged in user]\AppData\Roaming \*.exe [ For Windows 7]
      2. **.doc block from Write and new file creation.
      [OS installed drive]\Users\[logged in user]\AppData\Roaming \*.exe [ For Windows 7]

      Regards,
      Pradeep

    • nMaur

      These rules help fight a large variety of malware and should be used as a proactively.

  • Magawla

    An antivirus brand called CMC in www.virustotal.com found a trojan which, they tell, is called Trojan.Win32.VBKrypt!O in your stinger32.exe. It can be a false positive. Maybe you are gonna check it.

    • Dan Sommer

      Senior researcher Craig Schmugar replies:
      There are about two million files detected as Trojan.Win32.VBKrypt!O, so we need more information to investigate any potential false positives.

  • Mike

    What level do you need to run mcafee stinger at to defeat the Gameover Zeus and CryptoLocker
    viruses. Is network heuristics at Medium level by default OK?

    • Dan Sommer

      Senior researcher Craig Schmugar replies:
      With so many different binaries, variants, and detection signatures for these two families, it’s best to run network heuristics at Very High if you suspect that a system may be impacted, although Medium is sufficient to catch the vast majority of known samples.

      • Tom

        Another option is to use McAfee Nitro SIEM to look for DNS queries from internal hosts for the GoZ and CryptoLocker domains. It takes some configuration, but then a passive check is in place to help target systems that need a more thorough checking. A lot of our users are mobile laptop users – this can catch a newly infected host fresh off the road.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>