Gameover and CryptoLocker revisited - the important lessons we can learn

Filed Under: Botnet, Featured, Malware, Ransomware

We recently wrote about an international takedown operation, spearheaded by US law enforcement, against the Gameover and CryptoLocker malware.

That led to a resurgence of interest in our earlier articles about these threats.

So we thought it would be handy to revisit the lessons that this sort of crimeware can teach us.

Gameover - bigger of two evils

If we're honest, Gameover is the more serious threat to worry about.

It's a bot, or zombie, meaning that its function is to hand covert remote control of your computer over to cybercriminals.

They can go after your online banking credentials (and the Gameover gang did, to the tune of some $100m in the US alone), but they can also read your mail, mess with your social networking accounts, record your voice, turn on your webcam, and more.

In fact, the crooks can do pretty much anything they like, not least because Gameover, like most zombie malware, includes a general-purpose "download, install and launch yet more malware" function.


(Audio player above not working for you? Listen on Soundcloud.)

In other words, finding out you've had Gameover for the past month is like realising you forgot to hang up the phone and your boss has been listening in to the last 30 minutes of garrulous tittle-tattle you've been having with your chums.

You can't be sure just how badly things might end up, but you know it's not going to be good.

And one way that Gameover ended for many victims was with a CryptoLocker attack.

Gameover used to deliver CryptoLocker

That's because the crooks used the Gameover botnet to infect selected victims with the CryptoLocker ransomware, which promptly called home, downloaded a disk-scrambling encryption key, and locked up their data.

Want it back? That'll be $300.

For the most part, as far as we can see, victims who paid up did get their data back, and word quickly spread that the crooks were (if you will pardon the oxymoron) men of their word, with the result that business boomed.

Fellow Naked Security writer Chester Wisniewski, who speaks at a lot of conferences and seminars, even met people who shrugged and admitted that they'd handed over $300 to the crooks because it was less hassle than restoring from backup, and they'd heard that the crooks would probably honour the payment.

Honour, indeed!

So CryptoLocker ended up as better-known and more feared than Gameover, even though, for many people, Gameover was actually the cause of their CryptoLocker trouble.

You can see why CryptoLocker captured the imagination more than Gameover: CryptoLocker is one of those in-your-face, "so near but so far" threats.

If you get hit, your computer still works, your files are still there, and you can even open them up.

But if you do you will find they consist of the digital equivalent of shredded cabbage.

CryptoLocker attacks entire networks

Worse still, CryptoLocker doesn't limit itself to scrambling files on your hard disk.

Any drives, shares and folders that you can find with Explorer are visible to the malware, and if it has write access to any of those places, the data stored there is shredded cabbage, too.

USB drives, secondary hard disks, network shares, perhaps even your cloud storage, if you have software loaded that makes it appear as a directory tree on your computer: all of these can end up ruined after a visit from CryptoLocker.

If your user account has Administrator privileges, or worse still, System Administrator privileges, you might end up spreading the ruination far and wide through your organisation.

At worst, a single user who is infected could leave all his work colleagues affected, even those who don't use Windows and couldn't get infected themselves, even if they tried.

What to do?

Here are four suggestions that you can try yourself, and recommend to your friends and family.

• Don't rely on reactive virus scanning.

Reactively scanning your computer once a week, or once a month, cannot, by definition, prevent malware. It's a handy way of getting a "second opinion" about what's on your computer, but make sure you also use a proactive anti-virus program with an on-access or real-time scanner for both files and web pages. Real-time protection steps in before infection happens, so it doesn't just detect malware and malicious websites, it blocks them, too.

• Do consider email and web filtering.

Most businesses perform some sort of web or email filtering, to protect both the data and the staff in the organisation. If you have children to look after at home, or are the IT geek in a shared house, you might want to do the same sort of thing at home. (Sophos's UTM Home Edition is our full-featured business product, totally free for non-commercial use at home. It even includes 12 Sophos Anti-Virus for Windows licences for your desktops and laptops.)

Blocking suspicious websites needn't be about censoriousness or being a judgmental Big Brother. Instead, think of it as something you do because you're a concerned parent, or because you're watching your buddies' backs.

• Don't make your normal user account into an Administrator.

Privileged accounts can "reach out" much further and more destructively that standard accounts, both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

For example, on Windows 8.1, you need to have at least one Administrator account, or else you wouldn't be able to look after after your computer. But you can create a second account to use for your day-to-day work and make that account into a Standard user.

• Do make time for regular, off-line backups.

Even cloud backups can be considered "off-line," as long as you don't keep your cloud storage mounted as if it were a local disk, where it can be accessed all the time, by any program. Also, consider using backup software that can keep multiple versions (revisions) of regularly-changing files such as documents and spreadsheets, so that if you ruin a file without realising it, you don't end up with a backup that is equally ruined.

If you use the cloud for backup, we nevertheless recommend taking regular physical copies, for example onto removable USB disks, that you can keep somewhere physcially secure, such as a safe-deposit box. Don't risk losing everything if you lose your computer together with your cloud storage password, or if your cloud provider goes bust (or gets shut down).

Encrypting your backups as you save them to removable disks or before you upload them to the cloud is also wise. That way they are shredded cabbage to everyone else.

The bottom line

The operation against Gameover and CryptoLocker by law enforcement is most welcome, andshould be applauded.

But the mopping-up part of the operation is down to us.

The criminal business empires that have grown up around botnets like Gameover would rapidly fall apart if we kept our computers clean in the first place.

Kill-a-zombie today!

Image of Killer Zombie Robot courtesy of Shutterstock.

Click to get the free version of Sophos UTM...

Click to get the free version of Sophos Anti-Virus for Mac...

Click to get Sophos Free Anti-Virus and Security for Android...

, , , , , , , , ,

You might like

9 Responses to Gameover and CryptoLocker revisited - the important lessons we can learn

  1. Jim · 85 days ago

    Great article. I agree on all counts. However, I have one suggestion: Move the 2nd entry in the list (email filtering) to the bottom. Some may think of this is a "do them in this order" list (even though you don't say so), but turning off admin rights (#3 now) is a higher priority than email filtering. I might even consider it #1, but your #1 is pretty big, too.

    • Paul Ducklin · 84 days ago

      I didn't number them...I guess I'm hoping you'll do them all...

      And my #2 (not that it's in order :-) isn't just email filtering - I'm suggesting people watch traffic in and out, and that they stop considering it something "good for businesses but but a merel PITA at home."

  2. AV is for SHEEP · 84 days ago

    i still don't use an antivirus, no infection yet since 2010.

    • Guy · 84 days ago

      ...and you don't use Windows. But for those of us that do, it would be certifiably insane to not use AV.

      So baaaaa to you.

      • Deramin · 84 days ago

        Not necessarily. No AV might be playing it a bit risky, but if you have really good defenses in front of your computer, I can at least see the temptation to ditch AV. I haven't found it to be very useful, really. If you're filtering all of your internet traffic at least twice, blocking advertising, disabling Java and possibly Java Script, using Microsoft EMET, not using an admin account, and are really careful about what you download and where you go, then I think it might be possible (in theory) to use Windows without AV. But another wall never hurt anyone, so I don't see why you'd opt not to if you'd gone to that much trouble.

    • Andrew Ludgate · 83 days ago

      I haven't had an (unintentional) infection since around 1989 -- but part of the reason I know this is due to my AV software, buttressed with heuristics scripts tailored to my own setup (I have most of my system watch foldered where I'm not expecting continual file modifications -- it's worth the odd alert dialog telling me a file has changed/been added/removed).

      However, the main place malware has been blocked for me is in the browser/mail client by disabling auto-runnable scripting, and via bi-directional network proxying firewall.

      The main thing that's helped is to disable everything I don't need, and then only enable what is necessary. The result is that I get the odd website or software application that won't work, but then I can either create an exception, or just use an alternate solution (I've never failed to find one, even if it's sometimes been "don't do that").

      Not using Windows has been beneficial, but it isn't a protection technique, just a footprint minimization technique.

  3. Jim · 81 days ago

    One thing on the "use AV vs. don't use AV" argument:

    I've been involved in computer security since before the term was invented. I've seen a whole lot of break-in attempts. They come from all directions.

    And, the good ones (the ones to worry about) are very methodical. The only way to stop them is to have a multi-layered approach to securing ones infrastructure.

    Anti-virus and local PC firewall are basically the last line of defense. If there's a layered security model in place through the organization, then AV and local firewalls don't get triggered much. (I'm counting the PC's anti-virus and the PC's firewall as two "layers" of defense.)

    But, this is a bad excuse for skipping over them. I've seen determined hackers get through 5 layers of defenses and still pack a punch. In that infrastructure model, what AV did was protect my customers from the not-quite-so-good hacker, who could only get through the first 3-4 layers.

    • Paul Ducklin · 81 days ago

      Of course, there are also intrusions that *start* on the local computer, where it is first in line to be attacked - like malware on USB keys or any other device that shows up as a bunch of directly-visible files, such as phones, cameras, satnavs, and more. (Ask the Iranians about USB-borne malware.)

      This might be of interest:

      http://nakedsecurity.sophos.com/2012/06/17/lost-usb-keys-back-in-the-spotlight-in-privacy-commission-report/

      • Jim · 78 days ago

        That's true. If my memory is correct, I believe I've had far more malware installed while the employee was off-net vs. on our network.

        In fact, that makes my point even more solidly: Layered defenses are critical to an organization's security.

        But, it's scarier, too: A system is only as safe as the location(s) of least protection is. For most people in larger companies, that's a hotel or their house, not the office.

        Perhaps there's one more layer of defense: No admin rights. It's a lot harder to co-opt the antivirus when the attack doesn't have admin rights. Like all the others, it's not a fail-safe. But, with layered defenses ...

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog