Heimdal Security recently participated in the takedown of two important pieces of data and financial malware: Zeus Gameover and CryptoLocker.

Zeus Gameover and CryptoLocker Takedowns

More than 1,2 million machines were infected with Zeus Gameover at the time of the takedown. Though not so many machines were infected with CryptoLocker, due to infection’s ferocity and its ransomware approach, this infamous malware became more popular and more dreaded than Zeus. What categorizes both of these types of malware is the fact that their infrastructure is incredibly well made and, as with all good business approaches, they are easily scalable, meaning that malware is relatively easy to deploy. Remember! Developing malware is a business. There aren’t many hackers left, who do it for fun anymore, so the creators of malware think similar to a good venture fund. It’s all about scalability and profitability.

Lessons Learned

The recent large takedowns of malware have taught malware developers one thing though: that malware operations are increasingly working more and more covert. Rather than using large-scale operations, agile and smaller operations are being deployed. Having faced the fact that very large operations are highly profitable, but riskier – deploying smaller, more agile operations are highly effective and can reach the same levels of financial potential easily, as they simply scale not only in a number of infections but in a number of operations running. What we are seeing at the moment is a fire and maneuver approach, which is trying to limit police organizations’ ability to take down entire networks. Just recently we have seen the rise of Cryptowall, CryptoLocker V2, Cryptodefense, Zerolocker – which are all variants of the CryptoLocker idea. So, now authorities have at least four and most likely many more variants to combat, but all targeting the same goal as before. Over the last half-year or so, the style of organizing malware attacks changed, but also the attack vectors have become increasingly more accurate in locating the best angle of attack. A very common attack path at the moment is directing attacks towards well-known exploits in commonly used software, like Java, Acrobat Reader and Acrobat Flash, because these types of software are commonly found in 99% of computers and thus, the hit rate of finding a software to exploit is high. We have recently covered the risks in these types of software, even though they are fully up-to-date. An exploit is usually used to open the “door” to your PC, so that a malware dropper may check your system’s security before the final malware is delivered.

So what can we do to protect ourselves?

Not only is it highly important that enforcement agencies increase their agility and ability to move quicker, but as a PC user or CIO/CEO you need to fend for yourselves as well. Most new attacks focus on delivering an infection from the online environment, either directly from the Internet or via phishing campaigns. Attackers are, therefore, using servers, domains and websites to deliver their attacks, maybe in connection with a mail server. The best way to protect from these attack types is to find a traffic filtering tool and combine it with a spamfilter for your exchange server, or if you use Gmail as a private person, this is already included. In terms of traffic filtering from a corporate angle, you can use a range of the following technologies from BlueCoat, Fireeye, Checkpoint, or Secure DNS from CSIS. As 95% of all organizations have mobile units, it is highly important that you find a traffic filtering solution for your clients. Antivirus products have a broad line of reactive technologies implemented for protecting your computer against infections and Endpoint Security Suite/Heimdal™ Threat Prevention can be used to gain specialized protection for pre-empting attacks and preventing infections targeting your financial or corporate data. More important though, you need to consider what to do once you are infected because at some point you will be infected by some type of malware or tool that will start sending data about you back across the Internet. Endpoint Security Suite and Heimdal™ Threat Prevention also offer data leakage protection and I don’t know any other current solutions that do the same.

Why Malware as a Business is on the Rise

Security Alert: CryptoWall 4.0 – new, enhanced and more difficult to detect

Security Alert: 142 Million Legitimate Websites Could Deliver Ransomware


Thank you so much. Great article!

Leave a Reply

Your email address will not be published. Required fields are marked *