An international operation is targeting the botnet behind the GOZeus and Cryptolocker malware variants
By Edd Gent
An international operation to take down infrastructure behind two malware families will give computer users a “two-week window” to protect themselves, according to the National Crime Agency (NCA).
Operation Tovar began last Friday and is seeing the FBI, NCA, Europol a host of technology firms and organisations across 11 countries take control of the command and control servers behind two related forms of malware known as GOZeuS, which steals personal information, and CryptoLocker, which encrypts victim’s hard drives before demanding a ransom to unlock them.
By disrupting the system used by the infected computers to communicate with each other and the criminals controlling them the operation hopes to significantly reduce the malware’s effectiveness.
This should give the public an opportunity to rid themselves of the malware or safeguard against infection by making sure security software is installed and updated, running scans and checking that computer operating systems and applications are up to date.
Andy Archibald, deputy director of the NCA’s National Cyber Crime Unit, said: “Nobody wants their personal financial details, business information or photographs of loved ones to be stolen or held to ransom by criminals. By making use of this two-week window, huge numbers of people in the UK can stop that from happening to them.
“Whether you find online security complicated or confusing, or simply haven’t thought about keeping your personal or office computers safe for a while, now is the time to take action. Our message is simple: update your operating system and make this a regular occurrence, update your security software and use it and, think twice before clicking on links or attachments in unsolicited emails.”
More than 15,500 computers in the UK are currently infected with GOZeuS (also known as P2PZeuS), which is generally spread as a malicious attachment in an email. Once downloaded it links the victim’s computer to a peer-to-peer network of other infected machines, known as a botnet.
Once installed the malware monitors the victim’s activity until an opportunity arises to capture banking details or other private information, which is then transmitted back to the criminals via the botnet.
If the victim’s computer turns out not to offer a significant financial reward, GOZeuS can download and install CryptoLocker – another piece of malware which encrypts a user’s files before displaying a pop-up that demands a ransom, currently one Bitcoin (roughly £200-£300) for UK users.
The malware is believed to be responsible for the fraudulent transfer of hundreds of millions of pounds globally and Operation Tovar is one of the largest industry and law enforcement collaborations attempted to date.
“This synchronised collaboration sets a new standard for that which is possible in the name of Internet security,” said Rik Ferguson, Trend Micro’s vice president for security research, in a blog post today.
“The ultimate goal of the law enforcement activity is to prevent infected computers from communicating with one another, significantly weakening the criminal infrastructure. While this blow is effective, it is not permanent and we expect the malicious networks to return to their former strength within weeks, if not days.”
The NCA said individuals may receive notifications from their Internet Service Providers that they are victims and as well as ensuring they are protected against the threat they should back up all important files.
Members of the public who think they have lost money through malware such as GOZeus and Cryptolocker should report it to Action Fraud.