Tuesday, June 3, 2014

Gameover ZeuS, Cryptolocker, Operation Tovar, Oh My...

The big news this week is the U.S. Department of Justice disclosing "Operation Tovar," an international sting operation that this weekend seized control of command and control servers directing the "Gameover ZeuS" criminal botnet. This botnet involved somewhere between a half million and a million computers, and was largely used to distribute a piece of malware known as CryptoLocker. The operation and its implications have been heavily covered in the news (at least among technology news sources). My intent is not to rehash the news, but rather to describe some steps to minimize the damage such malware can cause.

ZeuS is well-known and very robust professional banking malware, which has been widely used for about 7 years. Its most effective approach is to sit in the background and monitor your web browsing behavior; if you browse to a banking website that it has been configured to watch for, it will collect the information you enter (usernames, passwords, possibly security questions, possibly bank account numbers) and send this information to the criminals that control it. ZeuS may also add additional fields to the legitimate web page (for instance, asking for date of birth or social security number in addition to the username and password requested by the real web site). It is a particularly insidious malware family because it simply uses the actual websites you visit, instead of tricking you into visiting a compromised site. Its primary goal is to separate you from your money, in secret such that you won't know you have been compromised until after your banking accounts have been stolen. ZeuS (on which Gameover ZeuS is based) also draws infected computers into a botnet - a network of computers under the control of an attacker, that can be used to do the attacker's bidding.

CryptoLocker is a newer criminal approach, one that became very popular in the past year or so, and one that is nasty in its ingenuity. Instead of acting in secret, it is very much in-your face. CryptoLocker is so-called "ransomware," and it does exactly what the name suggests. It holds your information captive, with the promise to return your data when you pay a ransom. It does this by encrypting files on your hard drive - family photos, financial records, music and movie libraries, school projects, email, business documents, etc. The files are still on your computer, but are digitally encrypted such that you cannot read the files without the key. And guess who holds they key? The person that controls the malware.


Here's the critical point: in both cases, once you know you are infected, it is too late. By the time you detect ZeuS (or ZBot, or Gameover Zeus), your banking account credentials have already been stolen and quite possibly used to access your financial accounts. By the time you recognize the CryptoLocker infection, your computer data has been encrypted - and there is no way to decrypt the data without paying the ransom and obtaining the key (assuming for the moment that the criminals are honorable and will give you the key after you have paid the ransom).

Operation Tovar is a big win for the good guys, but it is all but certainly a temporary win. It is possible the criminal masterminds may devise a way to regain control of the botnet. Even if they do not, this is not the only botnet, nor the only family of malware. While there is no 100% foolproof way to avoid getting infected, there are a couple of steps one can take to minimize the damage that these and related malware families can inflict.

1. Enable multifactor authentication on any accounts that are important to you. ZeuS can steal usernames and passwords because these items remain the same every time you log on (more or less ... you may change your password every once in a while, but certainly not every day). With multifactor authentication though, that information alone is not enough to log in - the criminal would also have to either log on from a trusted computer, or obtain a texted or emailed authentication key (which is generally only valid for a few minutes). This is not an impossibility, but it is far more difficult.

2. Use a DNS Resolver that blocks known malicious domains. Computers use a numeric Internet Protocol (IP) address to communicate with one another; when you browse to disney.com, your computer goes to a Domain Name System (or DNS) server, essentially a Yellow Pages that converts human-readable domain names into IP addresses. Services such as OpenDNS maintain a list of known malicious domains, and won't provide an IP address for those domains. Since botnets use a command and control system to deliver new instructions, the clients have to contact the malicious domain to receive new instructions. The same holds true for delivering stolen information to the attacker. No malware list is perfect and complete, but using a service such as OpenDNS greatly reduces the effectiveness of botnets. Keep in mind that DNS filtering is only effective against malware that "phones home" to known malicious control servers. Gameover ZeuS is a new breed that uses peer-to-peer communication to circumvent such controls. Nonetheless, DNS filtering is an effective way to reduce your exposure to many forms of malware.

3. Back up any data that matters - and back it up somewhere other than a shared drive on your home network. CryptoLocker and other ransomware are effective because so much information on our PCs may be irreplaceable. Baby pictures can't be re-taken. No student wants to re-write a term paper. A lifetime worth of contacts would be impossible to fully reconstruct. Ransomware is lucrative because given the choice between paying a few hundred dollars/Euros and losing data forever, many people (and businesses) will pay the ransom. Having a safe backup eliminates "losing forever" from the equation. Just keep in mind that many ransomware variants will also encrypt data on shared drives. To be safe, data needs to be backed up either offsite (think services such as Carbonite or Comodo), or backed up to a drive that is not mapped (think a NAS that uses FTP instead of SMB).