CryptoLocker ransomware infections collapse after Gameover takedown, researchers estimate

John E Dunn

Its effects were first documented by Dell SecureWorks under an early name, 'Prg Trojan', as long ago as in June 2007, when the firm's researchers discovered a sizable cache of keylogged online bank account details and social security numbers. Many of those appeared to be connected to the high-profile breach of the US jobs site around the same time.

By the time in 2011 and 2012 it had morphed into what became known as the Zeus banking malware, it was being targeted by Microsoft's Digital Crimes Unit (DCU) in a controversial operation called Operation b71, a command and control takedown that also involved servers used by SpyEye and Ice-IX variants.

That operation, coincidentally, bears a superficial comparison with what happened last week, which suggests that Gameover will probably reconstitute itself in some form just as it did after b71.

One of the ways it evolved to fight off this kind of takedown was by moving to a P2P design - also used by the Sality, ZeroAccess and Kelihos botnets - in which there are no central C&C servers. This makes it inherently hard to detect, partly because infected nodes distribute communication across a large number of nodes that see only a few of their neighbourss but also because many sit behind firewalls and NAT protection; this latter makes it incredibly difficult to get to grips with the size of the botnet. Many nodes become invisible.

The numerous companies and academic instructions that have helped research and probe for weaknesses in Gameover's P2P design have been very coy about how they broke into it. Suffice it to say that the basic principle was to trick the botnet into accepting sinkholes that emulated its P2P behaviour, isolating the other nodes as far as possible and then stopping the botnet from activating a fallback channel.

Not easy.

The sources Techworld contacted about these techniques did not want to go into more detail than that - many have been tracking Zeus and the later Gameover in detail for years and weren't best pleased when Microsoft made b71 public by the way. Every takedown risks more precious intelligence leaking out.

But in this area, reticence is normal and well-established. Botnet designers are always looking for ways to harden their creations against skinkholing and the Gameover attack appears to have used the technique with unparalleled success. Nobody wants to make it easy for them.

One possibility for the extra shyness this time could be that the researchers working on Gameover exploited a software vulnerability. Gameover is clever, innovative, successful but it is software after all and that makes it vulnerable.

Previous Page  1  2