Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cyber Security Group

Symantec MSS Threat Landscape Update – Gameover Zeus and Cryptolocker Takedown

Created: 03 Jun 2014 • Updated: 09 Jun 2014
MSS Global Threat Response's picture
+2 2 Votes
Login to vote

Symantec MSS Threat Landscape Update – Gameover Zeus/Cryptolocker Takedown

 

EXECUTIVE SUMMARY:

 

Today, June 2nd 2014, Symantec’s Security Response team released a blog detailing the takedown of two of the most notorious financial fraud malware to date; Cryptolocker and the Gameover Zeus variant. The takedown was an international collaboration between agencies such as the FBI, UK’s National Crime Agency and other law enforcement agencies. Symantec, among other private sector companies, assisted the FBI in seizing a large portion of the malicious infrastructure.

 

The Gameover variant of Zeus has infected millions of computers since September 2011. This trojan is used to intercept banking transactions that are made by unsuspecting users. The transaction details are then used to defraud those users of their monetary assets. Symantec has created a removal tool to assist users in removing Gameover Zeus.

 

Cryptolocker is the latest form of ransomware. If a user falls victim to this trojan, it will encrypt files stored on the the hard drive. The encryption used is strong and there is no method currently available to decrypt the data. The user is told that they must pay a ransom in order to receive the decryption key to recover their files. If a user decides not to pay the ransom, then they risk losing their personal files.

 

For more information on the takedown, please see Security Response’s blog post:

http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network

 

SYMANTEC MSS SOC DETECTION CAPABILITIES: 

 

For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor’s recommendation.  If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, we can be reached by requesting help via phone, e-mail, chat, or by visiting the MSS portal at https://mss.symantec.com.

 

For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.

 

MSS SOC Analytics Detection

 

  • Hot-IP Signatures

    Hot IP - Cryptolocker C&C Communication (GIN)

    Hot IP - Potential CryptoLocker HTTP communication

    Hot-IP - Potential CryptoLocker CnC communications (HTTP)

    Hot IP - ZeuS (Gameover) P2P C&C communications

    Hot IP - Gameover Zeus Bot P2P Node

    Hot IP - Gameover Zeus Bot Exfiltration Dropzone

    Hot IP - Suspected Zeus Gameover Botnet Sinkhole

    Hot IP - Potential Zeus (Gameover/v3) p2p C&C Activity

 

  • URL Analytics (WSM Signatures)

    [MSS URL Detection] Trojan.Cryptolocker.B traffic

    [MSS URL Detection] Trojan.ZBot (Citadel) HTTP Request to Command and Control

    [MSS URL Detection] Zeus payload request / CnC traffic detected

 

Vendor Detection

  • Symantec AV

          Trojan.Zbot

          Trojan.Zbot!gen26

          Trojan.Zbot!gen27

          Trojan.Zbot!gen29

          Trojan.Zbot!gen30

          Trojan.Zbot!gen32

          Trojan.Zbot!gen38

          Trojan.Zbot!gen39

          Trojan.Zbot!gen42

          Trojan.Zbot!gen43

          Trojan.Zbot!gen49

          Trojan.Zbot!gen51

          Trojan.Zbot!gen54

          Trojan.Zbot!gen55

          Trojan.Zbot!gen58

          Trojan.Zbot!gen60

          Trojan.Zbot!gen62

          Trojan.Zbot!gen63

          Trojan.Zbot!gen64

          Trojan.Zbot!gen65

          Trojan.Zbot!gen67

          Trojan.Zbot!gen71

          Trojan.Zbot!gen72

          Trojan.Zbot!gen73

  • Related Componet Detection:

    Downloader

    Hacktool.Rootkit

    Downloader.Dromedan

    Downloader.Upatre

    Downloader.Ponik

    Trojan.Pandex

    Trojan.Cryptolocker

  • Symantec IPS

    System Infected: Zbot Activity

    System Infected: ZBOT Request

    System Infected: Zbot Trojan Request 2

    System Infected: Zbot Trojan Request 3

    System Infected: Trojan.Zbot Activity 3

    System Infected: Trojan.Zbot Activity 6

    System Infected: Trojan.Zbot Download Request

    System Infected: Trojan.Zbot Download Request 2

    System Infected: Trojan.Zbot Download Request 3

    System Infected: Trojan.Zbot P2P Communication 3

    System Infected: Trojan.Zbot P2P Communication 4

    System Infected: Trojan.Zeus P2P Communication

    System Infected: Trojan.Zeus P2P Communication 2

    System Infected: Trojan Zbot Post Install

    System Infected: Trojan Zeus Activity

    System Infected: Trojan.Cryptolocker

  • Checkpoint

  • Cisco Secure IDS

  • FireEye

  • Snort/Sourcefire VRT

  • TippingPoint

 

This list represents a snapshot of current detection.  Symantec MSS stands ready to provide security monitoring once additional vendors or additional detection is identified and enabled on your monitored devices.  As threats evolve, detection for those threats can and will evolve as well.

 

REFERENCES:

For additional information related to this threat/vulnerability please reference the following links:

  • International Takedown Wounds Gameover Zeus Cybercrime Network

          http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network

  • Trojan.Cryptolocker

          http://www.symantec.com/security_response/writeup.jsp?docid=2013-091122-3112-99

  • Trojan.Zbot

          http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

  • Trojan.Zbot Removal Tool

          http://www.symantec.com/security_response/writeup.jsp?docid=2014-052915-1402-99