A 2 Week Deadline To Clean Zeus And Cryptolocker. Really?

Global law enforcement bodies came together last week in an operation designed to disrupt two of the most pesky pieces of malware on the planet: Gameover Zeus and Cryptolocker.

Gameover Zeus, the alleged creator of whom, Evgeniy Bogacheve is now on the FBI’s Most Wanted list, was both pilfering people’s banking data and dropping the aggressive ransomware Cryptolocker. The latter was one of the most significant malware plagues of the last year, as it locked hundreds of thousands out of their machines and demanded payment of one Bitcoin.

The police effectively sinkholed the entire Gameover Zeus botnet infrastructure and took control of Cryptolocker command and control servers, thereby disrupting both malware operations. It was a big day for the “good guys”.

Why two weeks?

But the UK’s National Cyber Crime Unit put out a somewhat perplexing piece of advice: users have two weeks to rid their machines of Gameover and Cryptolocker, whilst getting a decent anti-virus to protect themselves in the future.

People rightly asked, why two weeks? What happens in 14 days? The answer is the two weeks was something of an estimate – a guess at how long it would take the criminal hackers to regain control of their bots. It could be more, it could be less. Either way, the advice people should take is the same advice security experts have been giving out for years: get protected as soon as possible if you aren’t already, always update your Windows OS (or whatever OS you’re using), scan your machine regularly and back-up your stuff.

What police have done is admirable and worthwhile, as any operation is that educates people and scares them into taking action to protect against malware. In doing so, the general public can help make the Gameover and Cryptolocker operations considerably less profitable for the crooks running them.

Cryptolocker is dead. Long live Cryptolocker

Yet we should also be slightly perturbed by that two-week figure. It’s a fairly short window of opportunity and proves that sinkholing operations, which saw “key nodes” in the peer-to-peer network of Gameover taken over, don’t bring down cyber criminal operations. Only arrests can do that and even then malware can always make a comeback. Code is rather difficult to kill.

And unfortunately, with no extradition agreement in place with Russia, it’s unlikely that the alleged mastermind of GameOver Zeus, Evgeniy Bogachev will actually be arrested any time soon.

The advice to use anti-virus might also bring a false sense of security. It’s likely the malware creators will tweak their code, or use encryption services that obfuscate binaries. That will render AV almost ineffective at blocking new strains of Gameover and Cryptolocker.

As Lucas Zaichkowsky, enterprise defense architect at AccessData, tells me, “there are severe limitations” with relying on AV. “I’ve rarely seen antivirus software catch new samples of ZeuS as they emerge. However, as antivirus definitions update, they have a fighting chance of removing the botnet malware anywhere from hours to days after infection.”

Others don’t believe AV will work at all in protecting against new versions of the malware. “For years the antivirus industry has been promoting a flawed product to the mass market as a protection product – a huge con. As a result, there are millions of business and home users who think that they are safe online, just by running an antivirus product – this is madness! Traditional antivirus products do not and can not protect you from new malware like Cryptolocker that they can’t detect – what Donald Rumsfeld would call ‘unknown unknowns’,” says CEO of security company Comodo Melih Abdulhayoglu.

This is hyperbole, of course. Whilst businesses should be doing a lot more than relying on AV, the reality for consumers is that it’s one of the few forms of anti-malware technology available to them. And if it has a fighting chance of protecting them, it’s wholly necessary.

It just won’t help bring about the ultimate death of Gameover or Cryptolocker, regardless of what happens over the next two weeks.

What do you know about Internet security? Find out with our quiz!