The U.S. Department of Justice announced today that the Gameover Zeus (GOZ) botnet has been taken down in an effort dubbed "Operation Tovar." The action was the result of a multinational effort between government agencies, law enforcement, and private companies to shut down the massive botnet responsible for more than $100 million in losses for victims. The cooperation necessary to take down the botnet is impressive, but there will be more, and it's important for individuals to understand how to avoid falling victim to these threats.
CrowdStrike is one of the private companies that was heavily involved in Operation Tovar, and it worked with the United Kingdom's National Crime Agency, the FBI, Europol, global law enforcement, and other players in the private sector. Adam Meyers, VP of intelligence at CrowdStrike, described the results of Operation Tovar. "Over 500,000 infected machines were effectively disconnected from criminal control," he said. "The actors behind GOZ and Cryptolocker, which were both impacted by the recent actions, have done significant damage against unsuspecting victims."
Dwayne Melancon, CTO of Tripwire, praised Operation Tovar. "I think this is an excellent opportunity to make progress against a huge Internet threat," he said. "Taking out the command-and-control servers of a botnet is a monumental task, and this effort will make a significant difference and at least allow us to regain a foothold."
Melancon also cautioned, however, that botnets are extremely resilient, and he believes it won't be long before a new command-and-control structure fills the void. Even if it's not this botnet, there will be other botnets, so the question really is, "How can users avoid getting compromised by a botnet?"
"Consumers and businesses should use the free tools, Microsoft is a good place to start, to see if they have botnet malware on their systems," said Lamar Bailey, director of security research for Tripwire. "If they do, they should remove it as soon as possible and apply all patches necessary to protect against reinfection."
Bailey also recommends that users patch their operating systems and applications on a regular basis to guard against malware like Cryptolocker and run vulnerability detection scans to identify holes that could be exploited by attackers.
Lucas Zaichkowsky, an enterprise defense architect with CrowdStrike, pointed out that most antimalware tools do a poor job of identifying and blocking botnet threats and offered this advice to help individuals avoid becoming victims:
- Block email attachments containing executable files or ZIP files with executable files like EXE and SCR.
- Use vulnerability mitigation software to make up for unpatched software and avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of protecting from attacks--including rare zero-days--before software patches are even available. Also, EMET can be managed in corporate environments using Group Policies.
- Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise. Free antivirus software such as Microsoft Security Essentials or AVG Free are just as good as commercial offerings, so don't feel like you have to pay money to get a good product.
For organizations with security staff, I recommend learning how to do manual analysis so incidents can be fully investigated to uncover what the existing security tools don't reveal. Being unaware that passwords have been stolen can result in dire consequences such as wire fraud or data theft as we saw in the recent eBay incident where attackers used employee credentials to login and make their way to the database.