Over the last few weeks there has been a new episode in the on-going saga between the banking system and the Zeus and Cryptolocker families of malware. The UK National Crime Agency issued an unprecedented warning over GOZeuS and CryptoLocker PC malware, which has already enabled cyber criminals to steal hundreds of millions of pounds through the theft of bank login credentials. A similar alert was raised in the US by the US-Cert.
GameOver Zeus (GOZ) is a bank credential-stealing malware first identified in 2011 that has plagued the banking industry since then. It’s often used by cybercriminals to target Windows based personal computers and web servers and carry out command-control attacks. Like many malware families today, Zeus and Cryptolocker utilise various Domain Generation Algorithms (DGA) to reach out to their command and control servers via DNS to establish contact and receive instructions. There are up to 1,000 domains per day that these families may reach out to. This can be one of the crucial breadcrumbs that help companies like Palo Alto detect them.
As part of the proactive takedown initiated by the FBI in 2014, Palo Alto Networks and other companies, received intelligence that included about 250,000 URLs that P2PZeus and Cryptolocker will reach out to for the next 3 years.
John Harrison, the Palo Alto threat prevention expert, has provided a list of best practices to ensure optimum and continuous protection from the “Crypto” and “Zeus” families, which respectively include Cryptolocker, CryptoDefense, or Cryptowall and P2PZeus, Zbot, GameOverZeus or GOZ, and may continue to resurface as other, as yet undefined versions. Note that these best practices are applicable to many of malware families. These best practices include:
- Use IPS signatures to prevent vulnerabilities from being exploited by client-side attacks that could drop Zeus or Cryptolocker.
- Use Palo Alto Networks AV signature coverage for Cryptolocker and Zbot. Cryptolocker can come via social engineering through PDFs/Office documents or ZIP attachments that include malicious files.
- Ensure DNS detection is enabled. Spyware and Command and Control detection will find infected systems that may pull down additional variants.
- Utilise URL Filtering to prevent threats from being downloaded from malicious domains.
- Turn-on Wildfire as it can detect unknown and zero-day malware or dropper related to Cryptolocker or Zeus.
- Leverage file blocking – consider blocking all PE files or use a ‘continue page’ as an explicit warning to employees if they are allowed to download executable.
- Decrypt from webmail – if an employee downloads a Fedex.ZIP that turns out to be Cryptolocker, make sure it gets inspected with threat prevention.
- Track down and identify already infected systems – leverage the Botnet report provided by Palo Alto Networks to ensure that you haven’t missed already infected systems.
- Create a Sinkhole to systematical find infected systems – beyond the Botnet report, use this PAN-OS 6.0 feature to ensure that you are finding already infected systems easily.
- Leverage firewall alert systems – investigate ALL TCP-unknown and UDP — unknown alerts. These could be the Command and Control vector for the malware or remote access trojan beaconing out.
- Control your software update process – malware authors prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates – but these can be part of the infection vector. It’s important that you recommend that employees do not install Adobe Reader, Flash and Java updates from unofficial sources if these pop-up. You might consider having all update installs controlled by the IT group or to explicitly direct users to visit the official software vendor website for updates.
blueAPACHE and Palo Alto work together to provide our clients with support and server or cloud protection against malware threats including CryptoLocker and GameOver Zeus.
For more information on this article, visit the original post at Palo Alto here.
For details on how to implement these best practices (and ensure you are protected by Palo Alto new generation firewalls), contact the blueAPACHE account team here.