Gameover and CryptoLocker revisited – the important lessons we can learn


We recently wrote about an international takedown operation, spearheaded by US law enforcement, against the Gameover and CryptoLocker malware.

That led to a resurgence of interest in our earlier articles about these threats.

So we thought it would be handy to revisit the lessons that this sort of crimeware can teach us.

Gameover – bigger of two evils

If we’re honest, Gameover is the more serious threat to worry about.

It’s a bot, or zombie, meaning that its function is to hand covert remote control of your computer over to cybercriminals.

They can go after your online banking credentials (and the Gameover gang did, to the tune of some $100m in the US alone), but they can also read your mail, mess with your social networking accounts, record your voice, turn on your webcam, and more.

In fact, the crooks can do pretty much anything they like, not least because Gameover, like most zombie malware, includes a general-purpose “download, install and launch yet more malware” function.

(Audio player above not working for you? Listen on Soundcloud.)

In other words, finding out you’ve had Gameover for the past month is like realising you forgot to hang up the phone and your boss has been listening in to the last 30 minutes of garrulous tittle-tattle you’ve been having with your chums.

You can’t be sure just how badly things might end up, but you know it’s not going to be good.

And one way that Gameover ended for many victims was with a CryptoLocker attack.

Gameover used to deliver CryptoLocker

That’s because the crooks used the Gameover botnet to infect selected victims with the CryptoLocker ransomware, which promptly called home, downloaded a disk-scrambling encryption key, and locked up their data.

Want it back? That’ll be $300.

For the most part, as far as we can see, victims who paid up did get their data back, and word quickly spread that the crooks were (if you will pardon the oxymoron) men of their word, with the result that business boomed.

Fellow Naked Security writer Chester Wisniewski, who speaks at a lot of conferences and seminars, even met people who shrugged and admitted that they’d handed over $300 to the crooks because it was less hassle than restoring from backup, and they’d heard that the crooks would probably honour the payment.

Honour, indeed!

So CryptoLocker ended up as better-known and more feared than Gameover, even though, for many people, Gameover was actually the cause of their CryptoLocker trouble.

You can see why CryptoLocker captured the imagination more than Gameover: CryptoLocker is one of those in-your-face, “so near but so far” threats.

If you get hit, your computer still works, your files are still there, and you can even open them up.

But if you do you will find they consist of the digital equivalent of shredded cabbage.

CryptoLocker attacks entire networks

Worse still, CryptoLocker doesn’t limit itself to scrambling files on your hard disk.

Any drives, shares and folders that you can find with Explorer are visible to the malware, and if it has write access to any of those places, the data stored there is shredded cabbage, too.

USB drives, secondary hard disks, network shares, perhaps even your cloud storage, if you have software loaded that makes it appear as a directory tree on your computer: all of these can end up ruined after a visit from CryptoLocker.

If your user account has Administrator privileges, or worse still, System Administrator privileges, you might end up spreading the ruination far and wide through your organisation.

At worst, a single user who is infected could leave all his work colleagues affected, even those who don’t use Windows and couldn’t get infected themselves, even if they tried.

What to do?

Here are four suggestions that you can try yourself, and recommend to your friends and family.

• Don’t rely on reactive virus scanning.

Reactively scanning your computer once a week, or once a month, cannot, by definition, prevent malware. It’s a handy way of getting a “second opinion” about what’s on your computer, but make sure you also use a proactive anti-virus program with an on-access or real-time scanner for both files and web pages. Real-time protection steps in before infection happens, so it doesn’t just detect malware and malicious websites, it blocks them, too.

• Do consider email and web filtering.

Most businesses perform some sort of web or email filtering, to protect both the data and the staff in the organisation. If you have children to look after at home, or are the IT geek in a shared house, you might want to do the same sort of thing at home. (Sophos’s UTM Home Edition is our full-featured business product, totally free for non-commercial use at home. It even includes 12 Sophos Anti-Virus for Windows licences for your desktops and laptops.)

Blocking suspicious websites needn’t be about censoriousness or being a judgmental Big Brother. Instead, think of it as something you do because you’re a concerned parent, or because you’re watching your buddies’ backs.

• Don’t make your normal user account into an Administrator.

Privileged accounts can “reach out” much further and more destructively that standard accounts, both on your own hard disk and across the network. Malware that runs as administrator can do much more damage, and be much harder to get rid of, than malware running as a regular user.

For example, on Windows 8.1, you need to have at least one Administrator account, or else you wouldn’t be able to look after after your computer. But you can create a second account to use for your day-to-day work and make that account into a Standard user.

• Do make time for regular, off-line backups.

Even cloud backups can be considered “off-line,” as long as you don’t keep your cloud storage mounted as if it were a local disk, where it can be accessed all the time, by any program. Also, consider using backup software that can keep multiple versions (revisions) of regularly-changing files such as documents and spreadsheets, so that if you ruin a file without realising it, you don’t end up with a backup that is equally ruined.

If you use the cloud for backup, we nevertheless recommend taking regular physical copies, for example onto removable USB disks, that you can keep somewhere physcially secure, such as a safe-deposit box. Don’t risk losing everything if you lose your computer together with your cloud storage password, or if your cloud provider goes bust (or gets shut down).

Encrypting your backups as you save them to removable disks or before you upload them to the cloud is also wise. That way they are shredded cabbage to everyone else.

The bottom line

The operation against Gameover and CryptoLocker by law enforcement is most welcome, andshould be applauded.

But the mopping-up part of the operation is down to us.

The criminal business empires that have grown up around botnets like Gameover would rapidly fall apart if we kept our computers clean in the first place.

Kill-a-zombie today!

Image of Killer Zombie Robot courtesy of Shutterstock.

Click to get the free version of Sophos UTM...

Click to get the free version of Sophos Anti-Virus for Mac...

Click to get Sophos Free Anti-Virus and Security for Android...