Over the last few weeks we had a new episode in the on-going saga between the banking system and the Zeus and Cryptolocker families of malware. The UK National Crime Agency issued an unprecedented warning over GOZeuS and CryptoLocker PC malware, which has already enabled cyber criminals to steal hundreds of millions of pounds through the theft of bank login credentials. A similar alert was raised in the US by the US-Cert.
Below are some recommended best practices from John Harrison, our resident threat prevention expert, to ensure optimum and continuous protection from the “Crypto” and “Zeus” families, which respectively include Cryptolocker, CryptoDefense, or Cryptowall and P2PZeus, Zbot, GameOverZeus or GOZ, and may continue to resurface as other, as yet-undefined versions. Note that these best practices are applicable to many of malware families.
Background on Zeus and Cryptolocker:
GameOver Zeus (GOZ) is a bank credential-stealing malware first identified in 2011 that has plagued the banking industry since then. It’s often used by cybercriminals to target Windows based personal computers and web servers and carry out command-control attacks.
Like many malware families today, Zeus and Cryptolocker utilize various Domain Generation Algorithms (DGA) to reach out to their command and control servers via DNS to establish contact and receive instructions. There are up to 1,000 domains per day that these families may reach out to. This can be one of the crucial breadcrumbs that help us detect them.
As part of the proactive takedown initiated by the FBI in 2014, Palo Alto Networks and other companies, received intelligence that included about 250,000 URLs that P2PZeus and Cryptolocker will reach out to for the next 3 years.
- Use IPS signatures to prevent vulnerabilities from being exploited by client-side attacks that could drop Zeus or Cryptolocker. Consider inline blocking with a strict IPS policy. Prevent the client-side vulnerability from being exploited with a drive-by download that would drop the malware on the system.
- Use Palo Alto Networks AV signature coverage for Cryptolocker and Zbot. Cryptolocker can come via social engineering through PDFs/Office documents or ZIP attachments that include malicious files. Unfortunately, names are not the best way to identify these malicious files. Our threat prevention features will automatically block known malicious files. We have added coverage for many samples under the "Virus/Win32.generic.jnxyz" type name:
- Trojan-Ransom, Ransom/Win32.crilock, Trojan/Win32.lockscreen — to see our coverage, search under "LOCK" in the Virus Threat Vault.
- Trojan-SPY/Win32.zbot and PWS/Win32.zbot — to see our coverage, search under Zbot in the Virus Threat Vault.
- Ensure DNS detection is enabled! Spyware and Command and Control detection will find infected systems that may pull down additional variants.
- Suspicious DNS - Investigate and remediate ALL suspicious DNS queries. These are most likely infected systems!
- Spyware command and control signatures - Search "zbot" or Cryptolocker in Threat Vault under spyware for latest coverage including ID # 13433 "CryptoLocker Command and Control Traffic", 13131, Spyware-Zbot.p2p, 13050, Zbot.Gen Command and Control Traffic
- Subscribe to our URL Filtering to prevent threats from being downloaded from malicious domains.
- Block on Malware domains, as well as proxy avoidance, and peer2peer.
- Use a "Continue page" on unknown category websites
- Turn-on Wildfire as it can detect unknown and zero-day malware or dropper related to Cryptolocker or Zeus.
- Wildfire will automatically flag the malicious behavior and will create and push out AV, DNS and Command and Control signatures to deployed Palo Alto Networks firewalls to prevent additional employees from being infected.
- As a general rule, all Microsoft office, PDF and Java, and Portable Executable (PE) files should be going to Wildfire for behavior inspection.
- Leverage file blocking: Consider blocking all PE files or use a 'continue page' as an explicit warning to employees if they are allowed to download executable.
- Decrypt from webmail: If an employee downloads a Fedex.ZIP that turns out to be Cryptolocker, make sure it gets inspected with our threat prevention.
- Track down and identify already infected systems: Leverage the Botnet report provided by Palo Alto Networks to ensure that you haven't missed already infected systems.
- Create a Sinkhole to systematical find infected systems: Beyond the Botnet report, use this PAN-OS 6.0 feature to ensure that you are finding already infected systems easily.
- Leverage our firewall alert system: Investigate ALL TCP-unknown and UDP — unknown alerts. These could be the Command and Control vector for the malware or remote access trojan beaconing out.
- Control your software update process: Malware authors prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates – but these can be part of the infection vector. It’s important that you recommend that employees do not install Adobe Reader, Flash and Java updates from unofficial sources if these pop-up. You might consider having all update installs controlled by the IT group or to explicitly direct users to visit the official software vendor website for updates.
For more technical details on how to implement the above, join the Palo Alto Networks technical community at and download our most recent Threat Prevention Deployment Tech Note.