{"id":6041,"date":"2014-07-07T10:40:41","date_gmt":"2014-07-07T17:40:41","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=6041"},"modified":"2014-07-07T10:35:08","modified_gmt":"2014-07-07T17:35:08","slug":"banking-security-best-practices-zeus-cryptolocker","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2014\/07\/banking-security-best-practices-zeus-cryptolocker\/","title":{"rendered":"Banking Security: Best Practices for Zeus and Cryptolocker"},"content":{"rendered":"<p>Over the last few weeks we had a new episode in the on-going saga between the banking system and the Zeus and Cryptolocker families of malware. The <a href=\"http:\/\/www.theinquirer.net\/inquirer\/news\/2350303\/nca-warns-thousands-still-at-risk-from-gameover-zeus-and-cryptolocker-malware\" rel=\"nofollow,noopener\"  target=\"_blank\">UK National Crime Agency issued an unprecedented warning over GOZeuS and CryptoLocker PC malware<\/a>, which has already enabled cyber criminals to steal hundreds of millions of pounds through the theft of bank login credentials. A similar alert was raised <a href=\"http:\/\/www.us-cert.gov\/ncas\/alerts\/TA14-150A\" rel=\"nofollow,noopener\"  target=\"_blank\">in the US by the US-Cert<\/a>.<\/p>\n<p>Below are some recommended best practices from John Harrison, our resident threat prevention expert, to ensure optimum and continuous protection from the \u201cCrypto\u201d and \u201cZeus\u201d families, which respectively include Cryptolocker, CryptoDefense, or Cryptowall and P2PZeus, Zbot, GameOverZeus or GOZ, and may continue to resurface as other, as yet-undefined versions. Note that these best practices are applicable to many of malware families.<\/p>\n<p><strong>Background on Zeus and Cryptolocker:<\/strong><!--more--><\/p>\n<p>GameOver Zeus (GOZ) is a bank credential-stealing malware first identified in 2011 that has plagued the banking industry since then. It\u2019s often used by cybercriminals to target Windows based personal computers and web servers and carry out command-control attacks.<\/p>\n<p>Like many malware families today, Zeus and Cryptolocker utilize various Domain Generation Algorithms (DGA) to reach out to their command and control servers via DNS to establish contact and receive instructions. There are up to 1,000 domains per day that these families may reach out to. This can be one of the crucial breadcrumbs that help us detect them.<\/p>\n<p>As part of the proactive takedown initiated by the FBI in 2014, Palo Alto Networks and other companies, received intelligence that included about 250,000 URLs that\u00a0P2PZeus\u00a0and Cryptolocker will reach out to for the next 3 years.<\/p>\n<ol>\n<li><strong>Use IPS signatures to prevent vulnerabilities\u00a0from being exploited by client-side attacks that could drop Zeus or Cryptolocker.\u00a0<\/strong>Consider inline blocking with a strict IPS policy. Prevent the client-side vulnerability from being exploited with a drive-by download that would drop the malware on the system.<\/li>\n<\/ol>\n<ol start=\"2\">\n<li><strong>Use Palo Alto Networks AV signature coverage for Cryptolocker and Zbot.\u00a0<\/strong>Cryptolocker\u00a0can come via social engineering through PDFs\/Office documents or ZIP attachments that include\u00a0malicious\u00a0files. Unfortunately, names are not the best way to identify these malicious files. Our threat prevention features will automatically block known malicious files. We have added coverage for many samples under the \"Virus\/Win32.generic.jnxyz\" type name:<\/li>\n<\/ol>\n<ul>\n<ul>\n<li>Trojan-Ransom,\u00a0Ransom\/Win32.crilock,\u00a0Trojan\/Win32.lockscreen \u2014 to see our coverage, search under \"LOCK\" in the Virus Threat Vault.<\/li>\n<li>Trojan-SPY\/Win32.zbot and\u00a0PWS\/Win32.zbot\u00a0\u2014 to see our coverage, search under Zbot in the Virus Threat Vault.<\/li>\n<\/ul>\n<\/ul>\n<ol start=\"3\">\n<li><strong>Ensure DNS\u00a0detection\u00a0is enabled!\u00a0<\/strong>Spyware and Command and Control detection will find infected systems that may pull down additional variants.<\/li>\n<\/ol>\n<ul>\n<ul>\n<li>Suspicious DNS - Investigate and\u00a0remediate\u00a0ALL suspicious DNS\u00a0queries. These are\u00a0most likely infected systems!<\/li>\n<li>Spyware command and control\u00a0signatures - Search \"zbot\" or Cryptolocker in Threat Vault under spyware for latest\u00a0coverage including\u00a0ID #\u00a013433 \"CryptoLocker Command and Control Traffic\",\u00a013131,\u00a0Spyware-Zbot.p2p,\u00a013050,\u00a0Zbot.Gen Command and Control Traffic<\/li>\n<\/ul>\n<\/ul>\n<ol start=\"4\">\n<li><strong>Subscribe to our URL Filtering to prevent threats from being downloaded from malicious domains.<\/strong><\/li>\n<\/ol>\n<ul>\n<ul>\n<li>Block on Malware domains, as well as proxy avoidance, and peer2peer.<\/li>\n<li>Use a \"Continue page\" on unknown category websites<\/li>\n<\/ul>\n<\/ul>\n<ol start=\"5\">\n<li><strong>Turn-on Wildfire as it can detect unknown and zero-day malware or dropper related to Cryptolocker or Zeus.<\/strong><\/li>\n<\/ol>\n<ul>\n<ul>\n<li>Wildfire will automatically flag the\u00a0malicious\u00a0behavior\u00a0and will create and push out AV, DNS and Command and Control signatures to deployed Palo Alto Networks firewalls to prevent additional employees from being infected.<\/li>\n<li>As a general rule, all Microsoft office, PDF and Java, and Portable Executable (PE) files should be going to Wildfire for behavior inspection.<\/li>\n<\/ul>\n<\/ul>\n<ol start=\"6\">\n<li><strong>Leverage file blocking: <\/strong>Consider blocking all PE files or use a 'continue page' as an explicit warning to employees if they are\u00a0allowed\u00a0to download executable.<\/li>\n<\/ol>\n<ol start=\"7\">\n<li><strong>Decrypt from webmail:<\/strong>\u00a0If an employee downloads a Fedex.ZIP that turns out to be\u00a0Cryptolocker, make sure it gets inspected with our threat prevention.<\/li>\n<\/ol>\n<ol start=\"8\">\n<li><strong>Track down and identify already infected systems: <\/strong>Leverage the Botnet report provided by Palo Alto Networks to ensure that you haven't missed already infected systems.<\/li>\n<\/ol>\n<ol start=\"9\">\n<li><strong>Create a Sinkhole to systematical find infected systems: Beyond the Botnet report, <\/strong>use this PAN-OS 6.0 feature to ensure that you are finding already infected systems easily.<\/li>\n<\/ol>\n<ol start=\"10\">\n<li><strong>Leverage our firewall alert system:<\/strong>\u00a0Investigate ALL TCP-unknown and UDP \u2014 unknown alerts. \u00a0These could be the Command and Control vector for the malware or remote access trojan beaconing out.<\/li>\n<\/ol>\n<ol start=\"11\">\n<li><strong>Control your software update process: <\/strong>Malware authors prey on social engineering tactics to get your employees to install fake Reader, Flash and Java updates \u2013 but these can be part of the infection vector. It\u2019s important that you recommend that employees do not install Adobe Reader, Flash and Java updates from unofficial sources if these pop-up. You might consider having all update installs controlled by the IT group or to explicitly direct users to visit the official software vendor website for updates.<\/li>\n<\/ol>\n<p>For more technical details on how to implement the above, <a href=\"https:\/\/live.paloaltonetworks.com\/welcome\" target=\"_blank\">join the Palo Alto Networks technical community<\/a> at and download our most recent <a href=\"https:\/\/live.paloaltonetworks.com\/docs\/DOC-3094\" target=\"_blank\">Threat Prevention Deployment Tech Note<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the last few weeks we had a new episode in the on-going saga between the banking system and the Zeus and Cryptolocker families of malware. The UK National Crime Agency issued &hellip;<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[155,416,131,410],"tags":[549,220,551,550,69,548],"coauthors":[706],"class_list":["post-6041","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-2","category-financial-services","category-malware-2","category-vertical","tag-banking","tag-cryptolocker","tag-domain-generation-algorithms","tag-gameover","tag-wildfire","tag-zeus"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/6041","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=6041"}],"version-history":[{"count":8,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/6041\/revisions"}],"predecessor-version":[{"id":6049,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/6041\/revisions\/6049"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=6041"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=6041"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=6041"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=6041"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}