Businesses and users are now facing a two week race to fix their computers after yesterday’s disruption of the botnet controlling GOZeuS.
The coordinated takedown saw the UK’s National Crime Agency, the FBI, Europol and a number of security companies collaborate to disrupt the botnet which infected users with the banking malware, which also used the CryptoLocker ransomware on victims.
Jason Steer, director of technology strategy at FireEye, called the work “very exciting for the industry and businesses”. He said: “It’s these kind of incidents that also strike the everyday public into action too. Everyone needs to make the most of this rare window of opportunity to protect themselves from this crimeware before the attack evolves and cyber criminals try and get back into your computers and data by another means.”
Asked why there was only a two-week opportunity for users to “clean” themselves from the malware, Lancope’s director of security research Tom Cross told IT Security Guru that he suspected that there was a legal effort to gain control of nodes, similar to the DNSchanger effort in 2012.
Cross said: “CryptoLocker can create a thousand new domain names and it becomes difficult to counter as it can control domain names. Maybe they took over servers, but it will work from new ones.
“There is a lot you can do with a botnet, as an operator can determine what the IP address is and see where an endpoint is located.”
Fred Touchette, senior security analyst at AppRiver, said the two week window was rather curious, and he expected this amount of press would scare the group behind the botnet.
“It’s possible, considering this is a peer to peer botnet utilising an encryption scheme, to pass instructions back and forth between the machines on this botnet that perhaps they have figured out the current encryption scheme and have only two weeks before the encryption or the keys involved change,” he said. “Once again this is rather sensitive information for the press to leak out if this is actually the case, as the bad guys could simply just go ahead and change the algorithm right now if they thought they needed to.”
A spokesperson for the computer security incident response team (CSIRT) for the UK’s National Research and Education Network – Janet – told IT Security Guru that the botnet was suspected to consist of anywhere between 500,000 and one million infected systems, and that GOZeuS (also known as P2PZeuS) has been assessed as being responsible for the fraudulent transfer of hundreds of millions of pounds globally.
“Recent intelligence has suggested that more than 15,500 computers in the UK are currently infected, with many more potentially at risk,” they said. “Malware rates on our network Janet are significantly lower than on public networks due to a security policy that requires our customers to work with our CSIRT.”
Tim Kidd, operations director, Janet, part of the Jisc group, said: “The internet is crucial to modern life and particularly to those in the education and research sector. So we are pleased to work with the NCA to help make digital technologies for
education and research safer.”
However the main source of information for the public and businesses, the Get Safe Online website suffered “unprecedented demand” leading to slow loading of pages and 503 errors. CEO Tony Neate told The Drum that while it took advance action to increase its website capacity before the announcement was made, there was an unprecedented demand for the information. “It’s really encouraging that people are taking their online safety seriously and we are sorry that the advice hasn’t been accessible via the website,” he said. “We’re working really hard fix this as quickly as possible but, in the meantime, the advice can be accessed via our Facebook and Google+ pages as well as on CERT.gov.uk.”
