Ensuring Optimum Protection for CryptoLocker and P2PZeus (GameOverZeus)

Ensuring Optimum Protection for CryptoLocker and P2PZeus (GameOverZeus)

17076
Created On 09/26/18 19:13 PM - Last Modified 06/09/23 02:58 AM


Resolution


Background on Zeus and Cryptolocker using DGA

Many malware families today, including Zeus and Cryptolocker, utilize various DGA (domain generation algorithms) to reach out to the control servers through the DNS to establish contact and receive instructions. There are up to 1,000 domains per day that these families may reach out to. This can be one of the crucial breadcrumbs to help detect them.

 

Intelligence from the FBI on Zeus/Cryptolocker

With the takedown by the FBI, Palo Alto Networks and other companies, received intelligence that included, 250K URLs that P2PZeus and Cryptolocker will reach out to for the next 3 years by reverse engineering the DGA algorithm for those families, similar to what Palo Alto Network devices already do. These are reduced to about 71K domains, after going through the lists. These domains only come alive for one day and are dead the next.

 

From a DNS signature perspective, the Palo Alto Networks threat team creates signatures for those domains as they become live (they release the signatures 3 days before the domains go live), and then retire them as the next ones come online. This essentially results in rolling coverage, which is more intelligent and efficient since the device is not checking against signatures that would never fire.

 

From a PAN-DB perspective, malware entries are typically removed if the associated DNS signature is retired. Given the high profile nature of this FBI notice, Palo Alto Networks will make an exception and will add all of the domains into PAN-DB at once. DNS signatures will continue with rolling coverage.

 

Other detection/prevention best practices for Zeus, Cryptolocker ,and Cryptowall:

  • Use IPS signatures to prevent the vulnerability from being exploited from client side attacks that could drop Zeus or Cryptolocker
    • Consider inline blocking with a strict IPS policy. Prevent the client side vulnerability from being exploited with a drive by download and dropping the malware on the system.
  • Leverage AV:  Palo Alto Networks has substantial AV signature coverage for Cryptolocker and Zbot. Cryptolocker can also come via social engineering as malicious PDFs/Office documents or ZIP attachments that might include malicious files.
    • AV naming can be very challenging to match with other vendors. We have added coverage for many samples under the "Virus/Win32.generic.jnxyz" type name. Trojan-Ransom, Ransom/Win32.crilock, Trojan/Win32.lockscreen — Search under "LOCK" in the Virus Threat Vault.
    • Trojan-SPY/Win32.zbot and PWS/Win32.zbot – Search under Zbot in the Virus Threat Vault.
  • Utilize Spyware/CnC detection to find infected systems that may pull down additional variants.  Ensure Spyware/DNS detection is enabled.
    • Suspicious DNS -- Investigate and remediate ANY suspicious DNS queries. These are most likely infected systems.
      • Example: Suspicious DNS Query (generic:lilokobimqit.kz)(4042599)
    • Spyware CnC Signatures:
      • Search "zbot" or Cryptolocker in Threat Vault under spyware for latest coverage including  ID # 13433 "CryptoLocker Command and Control Traffic", 13131, Spyware-Zbot.p2p, 13050, Zbot.Gen Command and Control Traffic
  • Utilize URL Filtering Subscription with PAN-DB to prevent threats from being downloaded from malicious domains and connecting to known malicious domains
    • Block on Malware domains, as well as proxy avoidance, and P2P
    • Use a "Continue page" on unknown category websites
  • Leverage WildFire to detect the unknown and 0-day malware or dropper related to Cryptolocker or Zeus
    • WildFire will automatically see the malicious behavior and malware and push out AV signatures, DNS and CnC signatures to prevent additional infections.
      Note: All Microsoft office, PDF and Java, and PE files at a minimum should be going to WildFire.
  • Leverage File blocking:
    • Consider blocking all PE files or use a 'continue page' if employees are allowed to download .EXE's as a reminder
  • Decryption from webmail:
    • If an employee downloads a Fedex.ZIP that turns out to be cryptolocker, make sure they can inspect it with Threat Prevention
  • Leverage the Botnet Report to find infected systems:
    • Look at the Botnet Report to ensure you have not missed already infected systems
  • Create a Sinkhole to find infected systems
    • Use the Pan-OS 6.0 feature to ensure you are finding already infected systems easily
  • Leverage the Firewall:
    • Investigate TCP-unknown and UDP-Unknown alerts. These could be the CnC vector for the malware or remote access trojan beaconing out.
  • Updates for Software:
    • It is recommended that employees not install Adobe Reader, Flash and Java updates if these pop-up. Consider installing all updates for users or have users visit the websites directly. Malware authors will prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates, but these can be part of the infection vector.

 

Cryptolocker Behavior Summary Example in WildFire

  • Created or modified files
  • Spawned new processes
  • Modified Windows registries
  • Modified registries or system configuration to enable auto start capability
  • Changed security settings of Internet Explorer
  • Used the POST method in HTTP
  • Created an executable file in a user document folder
  • Started a process from a user document folder
  • Deleted itself
  • Created a hidden executable file
  • Accessed honey files
  • Registered a file as auto-start from a local directory
  • Used direct IP instead of host name
  • Sample attempted to copy itself
  • Sample used a suspicious User-Agent

 

The following are example sample Cryptolocker Domains for 5/6/14 from the FBI:

5/6/14          a. srwjusavvdtgit.ru

5/6/14          a. cyroeuvcjmawxh.ru

5/6/14          a. lrivijijtdutyf.ru

5/6/14          a. uhcnfwtpfcayqa.ru

5/6/14          a. dcdraouktfgamb.ru

5/6/14          a. mjxwjqqnhqpxln.ru

5/6/14          a. gvokgggxkhoefw.ru

5/6/14          a. boxblbanryhwhp.ru

5/6/14          a. qimhayesuxjyjp.ru

5/6/14          a. hqcgewkpofoywn.ru

5/6/14          a. jixtncyhsvfrwa.ru

5/6/14          a. aqnsrwovxikryf.ru

5/6/14          a. bsspfhnayuvwsd.ru

5/6/14          a. rbiojftwscbwrt.ru

5/6/14          a. xdskyfehjbfhtg.ru

5/6/14          a. mvtiohexaenqsy.ru

5/6/14          a. pfotdcrngdoikp.ru

5/6/14          a. wdlojxkvhayjox.ru

5/6/14          a. fupbpiycgrwlpc.ru

5/6/14          a. hqingcttomaxox.ru

5/6/14          a. osvwdclkohrndd.ru

5/6/14          a. hnrwotfkrskyen.ru

5/6/14          a. ayvpngeatjtfxf.ru

5/6/14          a. urfimdhlwjsfja.ru

5/6/14          a. jwclbtjkeowjmh.ru

5/6/14          a. epleanvnxjvjux.ru

5/6/14          a. dlfyucsaunfudn.ru

 

owner: maurisy
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3OCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language