Symantec MSS Threat Landscape Update – Gameover Zeus/Cryptolocker Takedown
Today, June 2nd 2014, Symantec’s Security Response team released a blog detailing the takedown of two of the most notorious financial fraud malware to date; Cryptolocker and the Gameover Zeus variant. The takedown was an international collaboration between agencies such as the FBI, UK’s National Crime Agency and other law enforcement agencies. Symantec, among other private sector companies, assisted the FBI in seizing a large portion of the malicious infrastructure.
The Gameover variant of Zeus has infected millions of computers since September 2011. This trojan is used to intercept banking transactions that are made by unsuspecting users. The transaction details are then used to defraud those users of their monetary assets. Symantec has created a removal tool to assist users in removing Gameover Zeus.
Cryptolocker is the latest form of ransomware. If a user falls victim to this trojan, it will encrypt files stored on the the hard drive. The encryption used is strong and there is no method currently available to decrypt the data. The user is told that they must pay a ransom in order to receive the decryption key to recover their files. If a user decides not to pay the ransom, then they risk losing their personal files.
For more information on the takedown, please see Security Response’s blog post:
SYMANTEC MSS SOC DETECTION CAPABILITIES:
For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
MSS SOC Analytics Detection
Hot IP - Cryptolocker C&C Communication (GIN)
Hot IP - Potential CryptoLocker HTTP communication
Hot-IP - Potential CryptoLocker CnC communications (HTTP)
Hot IP - ZeuS (Gameover) P2P C&C communications
Hot IP - Gameover Zeus Bot P2P Node
Hot IP - Gameover Zeus Bot Exfiltration Dropzone
Hot IP - Suspected Zeus Gameover Botnet Sinkhole
Hot IP - Potential Zeus (Gameover/v3) p2p C&C Activity
URL Analytics (WSM Signatures)
[MSS URL Detection] Trojan.Cryptolocker.B traffic
[MSS URL Detection] Trojan.ZBot (Citadel) HTTP Request to Command and Control
[MSS URL Detection] Zeus payload request / CnC traffic detected
- Symantec AV
Related Componet Detection:
System Infected: Zbot Activity
System Infected: ZBOT Request
System Infected: Zbot Trojan Request 2
System Infected: Zbot Trojan Request 3
System Infected: Trojan.Zbot Activity 3
System Infected: Trojan.Zbot Activity 6
System Infected: Trojan.Zbot Download Request
System Infected: Trojan.Zbot Download Request 2
System Infected: Trojan.Zbot Download Request 3
System Infected: Trojan.Zbot P2P Communication 3
System Infected: Trojan.Zbot P2P Communication 4
System Infected: Trojan.Zeus P2P Communication
System Infected: Trojan.Zeus P2P Communication 2
System Infected: Trojan Zbot Post Install
System Infected: Trojan Zeus Activity
System Infected: Trojan.Cryptolocker
Cisco Secure IDS
This list represents a snapshot of current detection. Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices. As threats evolve, detection for those threats can and will evolve as well.
For additional information related to this threat/vulnerability please reference the following links:
- International Takedown Wounds Gameover Zeus Cybercrime Network
- Trojan.Zbot Removal Tool