Sophos Cloud Optix
Gameover, also known as Gameover Zeus, is one of the most notorious botnets of recent times, used to grab covert control of innocent users’ computers and to “borrow” them to carry out cybercrime on a giant scale.
The best-known criminal functionality of Gameover is probably its banking-related trickery, where it keeps track of what your computer is doing online until you start some sort of financial transaction.
Then the malware comes alive and grabs the personal information that you type in, such as your username and password, and may even be able to intercept the one-time passcode sent by your bank (what is known as two factor authentication).
Once intercepted, that information is often enough for the crooks to to conduct fraudulent transactions, and with estimates that hundreds of thousands of computers were infected with the Gameover “bot” at any time, the crooks made off with millions of ill-gotten dollars.
In fact, the United States Department of Justice (DoJ) suggests that the Gameover crooks have stolen more than $100,000,000 from users in the US alone.
The DoJ also estimates that US users who have lost money to Gameover make up just 25% of victims worldwide, so we could be looking at global losses of up to half a billion dollars.
But that’s not all.
The Cryptolocker menace
CryptoLocker is the poster child (a “Wanted” poster, that is) of the ransomware scene, scrambling all your data and then giving you three days to come up with $300 to buy the key to unscramble it.
In the past, we’ve seen file-encrypting ransomware that could be “counter-cracked”, thanks to cryptographic blunders by the crooks, such as leaving temporary copies of the decryption key on your computer, or neglecting to wipe out the original files after scrambling them.
No such luck with CryptoLocker.
Every time an infected computer calls home to one of the CryptoLocker servers, the crooks generate an RSA key pair, consisting of a public and a private key, on the server.
In public-key cryptography, what the public key locks, only the private key can unlock. (And you can’t compute the private key from the public key because of the way the mathematics works.)
So the crooks send your computer the public key; their malware locks up your files with it; and that’s that: the private key never, ever exists on your computer, neither on disk nor in memory.
If you don’t have a backup and you need to decrypt your data, you have no choice but to buy a copy of the private key from the crooks.
The DoJ suggests that the crew behind CryptoLocker raked in $27,000,000 in September and October 2013 alone, in the first two months that the malware was widely reported.
Another measure of the malware’s malevolence came from a survey by the University of Kent in England, which concluded (these are eye-watering statistics) that about 1 in 30 Britons had been hit by CryptoLocker, of whom 40% paid over the blackmail money.
Gameover and CryptoLocker in concert
These two families of malware are often discussed together because Gameover, which gives its operators the power to upload new malware to already-infected computers, has been one of the ways by which CryptoLocker was distributed.
In other words, the crooks could milk you using Gameover; as soon as they thought they’d squeezed everything they could out of the Gameover part, they could “upgrade” you to CryptoLocker and sting you for a final $300.
With a 40% success rate against victims in the UK alone, if the University of Kent has it right, that’s quite some sting.
The takedown
So here’s the good news: the DoJ today announced a string of legal and technical assaults on the criminal infrastructures of these two malware families.
Very briefly summarised, US law enforcement has done the following:
• 07 May 2014. With co-operation from the Ukrainian authorities, seized and copied key Gameover command servers in Kiev and Donetsk. If the core servers in a botnet can’t push put “what to do next” instructions to the zombie computers under their control, the botnet is seriously disrupted.
• 19 May 2014. Filed sealed criminal charges against a Russian national called Evgeniy Mikhailovich Bogachev, aka Slavik, aka Pollingsoon, for a raft of serious offences.
• 28 May 2014. Got a civil court order against Slavik and four other unnamed co-conspirators, thus permitting law enforcement legally to redirect Gameover traffic into a server specificed by the court.
Then, the “traceback” could begin, with the FBI and numerous operational partners in the US and in Europe identifying core computers in the botnet control infrastructure, and seizing servers in Canada, France, Germany, Luxembourg, the Netherlands, Ukraine and the UK.
Servers critical to the operation of CryptoLocker were seized at the same time, which did some serious damage to the CryptoLocker scam, too.
If your computer fails to “call home” for the public key mentioned earlier, CryptoLocker can’t scramble your data, giving you time to find and destroy the malware before any costly damage is done.
Unity is strength
To remind you just how much work goes into an operation of this sort, it’s worth repeating the names of the law enforcement agencies around the world that were officially named by the DoJ as having been part of this takedown.
Here they are:
The Australian Federal Police; the National Police of the Netherlands National High Tech Crime Unit; European Cybercrime Centre (EC3); Germany's Bundeskriminalamt; France's Police Judiciare; Italy's Polizia Postale e delle Comunicazioni; Japan's National Police Agency; Luxembourg's Police Grand Ducale; New Zealand Police; the Royal Canadian Mounted Police; Ukraine's Ministry of Internal Affairs – Division for Combating Cyber Crime; and the United Kingdom's National Crime Agency participated in the operation. The Defense Criminal Investigative Service of the U.S. Department of Defense also participated in the investigation.
Quite a list!
So, if you’ve ever wondered, “Why don’t the cops just pop round to the botmaster’s house and shut the whole thing down?”, this list might help answer your question.
What happens next?
The next stage – the part of the operation that is the duty of all of us – is to dismantle the rest of the botnet, by progressively disinfecting all the zombie-infected computers that made the Gameover and Cryptolocker “business empires” possible in the first place.
US-CERT has come up with a whole list of free tools so you can do just that, and (if you are the go-to person for IT problems amongst your friends and family) so that you can help others, too.
I’m delighted to say that the Sophos Virus Removal Tool is amongst the recommended cleanup utilties.
It’s a free download; you don’t have to uninstall your existing anti-virus first; and it detects and cleans the same malware, including rootkits, that Sophos Anti-Virus knows about, not just CryptoLocker.
Why not try it and see by scanning your home PCs today?
As we’ve said before, if you don’t make an effort to clean up malware from your own computer, you aren’t part of the solution, you’re part of the problem.
Splendid! How confident are they that the Zeus botnet is 100% offline? I know botnet writers put in backup communication methods. I suppose if they have arrested all the operators, that wouldn’t be much of a concern.
crypto is back, the name is cryptowall 3.0 not defense , all the files infected never restored. !!!!!!!!!!!!
I do think that the media in general (not Nakedsecurity) have handled this story badly.
From reading comments on other forums, some people have understood that there is some terrible new threat which will hit all our computers in exactly 2 weeks’ time.
Whereas, if I understand correctly, in 2 weeks’ time things will be no worse than they were a month ago. It’s just that the bad guys will have regrouped by then, and if people use those 2 weeks to cleanup their PCs, things will be slightly better.
Even then I’m not sure what the 2 week window means for an individual PC – is the infection somehow easier to clean because the command-and-control is missing for example?
I’ve seen mention of this “two week window.” I don’t like it. I suppose it’s someone’s reasonable guess that has turned into a touchstone.
Certainly for CryptoLocker, as mentioned above, having the key generation servers offline gives anyone who gets infected while they’re not working a bit of a breather. (Can’t call home = encryption doesn’t start.)
But there isn’t a “two week window.” Other crooks could light up replacement servers tomorrow. Or it could take months.
In the old days, viruses often had special days when they did something unsusual – from trashing your motherboard to disinfecting themselves.
Seems that people still love that sort of date-type precision.
(Same thing happened at Y2K. If software had Y2K problems, they might very well show themselves in any calcuation across that boundary, which was actually more likely to happen before Y2K. But the idea of armageddon at the stroke of midnight on NYE was more exciting 🙂
I have no doubt that Sophos Virus Removal Tool is a useful anti-malware tool, given Sophos’s reputation. However, its incredibly slow scanning speed (it would literally take all day–8-10 hours or more–on my computer) makes it of little practical value.
You could run it overnight 🙂
The problem with doing an end-to-end check for malware “after the fact” is that if you want to scan every risky file, you…well, you have to enumerate, open and read every risky file. That can be a lot of work. Of course, the actual time it will take depends on how many files of what sort you have on your computer, and disk speed, and CPU powerm and so on, so predicting just how long is tricky. (FWIW, in my admittedly lightly-used Windows 8.1 Virtualbox VM, it takes about 20 minutes, so mileage really varies.)
We could tweak the tool so it had various options to be less thorough for a shorter time…but then we’d miss out on the goal of making it a truly “security made simple” tool, where there’s a button saying [Start]. You press it. That’s it.
By the way, when I said “you could run it overnight” I was only being 33% cheeky. It’s one way to approach it. Like taking all your workshop overalls and giving them a go in the washing machine on the “superhot mega wash with presoak, bleach, double rinse and triple agitation” programme setting. You wouldn’t want to do it every week but it sort of feels good to give ’em a serious cleansing once in a while 🙂
If the govt. has control of (some of) the botnet core computers, then as well as tracking down other controlling computers, I think they should propagate an updated infection which cleans itself (either immediately or at some future time) and/or refuses further updates. This should be quite legal in this context if there is a notice informing of this. A bit more legally questionable but very useful wold be to have this counter-infection performing anti-malware functions so it resists the spread of new infections – the people who would get this functionality are inherently those that ned it most, being as they were infected before.
The Dutch police tried this sort of thing once. Apparently their legal advice was that it was like finding a person’s house burgled, after which the cops would usually inspect and secure the house, leaving a note for the owner. (Bit like the TSA notes you sometimes find in your suitcase 🙂 Reaction, IIRC, was mixed.
So if a person is infected with Cryptolocker, I understand it can be removed, but what about the encrypted files? If I am to understand correctly, once the files are infected it really doesn’t matter if you remove the virus because it will not remove the encryption from your files. Is this correct?
Now that the authorities have seized network traffic, is it possible that they can post all the private keys once they confiscate the website? That’d be a big help. I hope people haven’t given up hope and wiped their hard drive, they already found the key location for an older version.
It’s great these guys are going to jail, though I have to give them credit, the cryptolocker was rather intuitive. However, I can’t think of a better way to piss me off. Many users don’t make backups because they simply can’t afford it – and even users of a RAID array that’s mounted, as well as cloud drives find themselves screwed over.
Law enforcement might not have got hold of the private keys during the takedown. Maybe they were encrypted? Maybe they didn’t actually seize the physical servers? Maybe the keys were stored separately from the public facing servers in the system? Maybe the crooks wiped the disks when they realised it was game over? (Sorry). And so forth.
Anyway, if they did get the private keys, it makes an intriguing beard-stroking ethical problem to decide, “Should they be made public?”
Also, anyone who couldn’t afford backups *before* the malware hit, and who didn’t pay the ransom, is unlikely to have been able to afford to backup their files *after* they’d been scrambled, against the (frankly unlikely) day that they’d get their decryption keys for free.
Lastly, who said the crook/crooks were going to jail? I think he/they are still at large, charged in the USA in absentia.
(Your reminder about mounted remote drives is an important one. Don’t give yourself write access to files you aren’t intending to write to 🙂
Is it possible to figure out a encryption / decryption key if you have only 6 datapoints (inputs / outputs)?
Device ID (input) / (key)
Device ID Lease Code 1 2 3 4 5 6 7 8
MI110800017 703 95be 73cb 416f 3155 14a8 e976 5750 703
MI110500013 8b97 1d6f 94cf 51f1 dd0c 7a0e d7e2 b1d3 8b97
MI110600013 5956 4c11 f56c 1a53 f0be 3a92 9da8 72eb 5956
MI110100001 acc2 8d17 16f9 20b0 4983 2bfb fb37 f16e acc2
MI110200002 1392 0efb e0f3 8b8a 4b6c 71d1 394f 9.70E+01 1392
MI1120800026 5331 070c 453d 9156 7cae 143d 595b 8c23 5331
MI110800012 ? ? ? ? ? ? ? ? ?
No. The keys for CryptoLocker are randomly generated for each victim. There is no pattern.