National Crime Agency issues warning over GOZeuS and CryptoLocker malware

P2P network that controls banking Trojan taken down in action led by FBI

The National Crime Agency (NCA) has issued an unprecedented warning over GOZeuS and CryptoLocker PC malware.

"Action taken by the NCA to combat the threat will give the UK public a unique, two-week opportunity to rid and safeguard themselves from two distinct but associated forms of malware known as GOZeuS and CryptoLocker," warned the NCA in a statement.

GOZeus - short for Gameover Zeus - is a peer-to-peer variant of the Zeus family of malware, first identified in September 2011. It is designed to steal bank log-in credentials by searching a compromised PC for files containing financial information. If it fails to find anything of value, it may then install Cryptolocker - "ransomware" that encrypts the PC's hard-disk drive, only providing the decryption key after a fee is paid.

GOZeus uses a decentralised infrastructure, which makes it more difficult to take down than a typical botnet, according to an advisory from the US Computer Emergency Readiness Team (US-CERT).

Very often, if GOZeus is thwarted, its controllers use their access to the PC to install CryptoLocker instead. This encrypts the contents of the PC's hard-disk drive and demands a ransom from the user to decrypt it.

The use of a peer-to-peer network to control GOZeus makes it particularly difficult to break up the command-and-control infrastructure. "These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the resiliency of GOZ's P2P infrastructure makes takedown efforts more difficult," claims US-CERT.

The NCA claims that concerted action alongside the FBI has enabled law enforcement agencies to take down a 'botnet' that ultimately controls the malware. This has provided a window of opportunity for PC users to make sure that they are uninfected and to improve their protection.

GOZeuS - also known as P2PZeuS - is believed to have been responsible for the fraudulent transfer of hundreds of millions of pounds. The NCA estimates that more than 15,500 computers in the UK are currently infected with GOZeuS.

"By disrupting the system used by the infected computers to communicate with each other, and the criminals controlling them, this activity aims to significantly reduce the malware's effectiveness," claimed the NCA.

More than 15,000 machines in the UK alone are believed to have been infected by the malware and internet service providers (ISPs) have been persuaded to contact customers known to have been affected - by either letter or email. The first notices were sent out on Monday.

A number of technology and security software companies claim to have helped the NCA and FBI in their action against GOZeus, including McAfee, Microsoft and Symantec. The latter has made available a removal tool for anyone whose anti-virus software identifies GOZeus.