Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

DNS Sinkhole campaign underway for CryptoLocker


  • Please log in to reply
15 replies to this topic

#1 Grinler

Grinler

    Bleep Bleep!


  • Admin
  • 40,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 PM

Posted 24 October 2013 - 03:10 PM

A DNS sinkhole campaign is underway and in high gear to block computers infected with CryptoLocker from reaching the malware's Command & Control servers. A DNS sinkhole is a method used by security researchers to monitor Botnets and to block communication between an infected computer and its Command & Control server. This method is now being used against CryptoLocker, a file encrypting ransomware that requires a $300 USD ransom from victims in order to get their files back. We have been monitoring and helping CryptoLocker victims since its release in early September. This infection has been devastating for its victims.

For quite a while, we have noticed that an unknown organization has started redirecting, or sinkholing, CryptoLocker domains to sinkdns.org hostnames. When CryptoLocker attempts to communicate with certain domains it will instead be sent to a server hosted in the sinkdns.org domain. The connection will also contain the http headers Server: You got served! and X-Sinkhole: malware cryptolocker sinkhole. By sinkholing the domains, communication between an infected computer and the malware's Command & Control server is not able to take place. If CryptoLocker is unable to communicate with a C&C server and receive a public key used to encrypt files, it will endlessly loop till it can. By breaking this communication, security researchers aim to halt CryptoLocker before it further encrypts other infected computer's files.
 

sinkhole.jpg


Unfortunately, this sinkhole is not completely successful at this time. Tests have shown that CryptoLocker will eventually find a non-sinkholed hostname that is part of its Domain Generation Algorithm and begin encrypting the files. Furthermore, in order for a person to pay the ransom and decrypt their files they will need to be able to reach one of infection's C&C servers. If all its domains become blocked, then affected users will no longer be able to pay the ransom if they wish to do so. As you can see this is a double-edged sword.

At this time no organization has taken credit for the sinkhole campaign. If anyone has any information on the sinkdns.org domain, please let us know here. For more information about CryptoLocker, please see this guide: CryptoLocker Ransomware Information Guide and FAQ.

BC AdBot (Login to Remove)

 


#2 Allen

Allen

  • Members
  • 289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:08:44 PM

Posted 24 October 2013 - 03:24 PM

This is rather startling.



Hey everyone I'm Allen I am a young web developer/designer/programmer I also help people with computer issues including hardware problems, malware/viruses infections, and software conflicts. I am a kind and easy to get along with person so if you need help feel free to ask.

 

#3 Netghost56

Netghost56

  • Members
  • 843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:06:44 PM

Posted 24 October 2013 - 03:39 PM

And if you're already infected/encrypted, and if you've already paid and are awaiting the private key- you're in trouble.

 

Maybe the feds have taken action here?



#4 helping hands

helping hands

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 24 October 2013 - 03:48 PM

I've made the double edge sword comment already, i am now helping someone who needs the ransom to go through, so I'm forced into

hoping that this won't take place before I get  the decryption packets....

I just hope and pray that everyone gets the best they can out of this, and at a minimum, a great education.



#5 shadowsbane

shadowsbane

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 24 October 2013 - 04:29 PM

OK, I understand the concept of a DNS sinkhole, but how does one actually accomplish such a feat?  It would seem to me that it would have to involve participation from an ISP or other high-level body.  I couldn't just start a DNS server in my spare bedroom and expect it to work.



#6 Netghost56

Netghost56

  • Members
  • 843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:06:44 PM

Posted 24 October 2013 - 04:35 PM

That's why I suspect feds....or a rival hack group that wants to supercede their version of cryptolocker over the original.

 

Grinler, how did you learn of this? I mean, how did you determine that the domains are being redirected?



#7 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 PM

Posted 24 October 2013 - 08:30 PM

That's why I suspect feds....or a rival hack group that wants to supercede their version of cryptolocker over the original.

If I could hazard a guess, its probably security firm.


Grinler, how did you learn of this? I mean, how did you determine that the domains are being redirected?


Use a sniffer while starting the cryptolocker executable. You will start to see many attempts to connect to a DGA domain and get redirect to the sinkhole.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:11:44 PM

Posted 25 October 2013 - 05:49 AM

If it cannot contact the Command and Control, then how does it start to encrypt the files?

#9 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 PM

Posted 25 October 2013 - 07:01 AM

It doesn't as explained in the first post.

#10 JohnWHS

JohnWHS

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:44 PM

Posted 25 October 2013 - 03:17 PM

The company I work for was hit yesterday...we now have almost 130,000 encrypted files, most are on a mapped network drive.  AVG remotely removed the CryptoLocker exe and its related HKLM keys from the infected client machine/registry yesterday PM (Oct 24, 2013) but left the HKCU key containing the list of encrypted files.  We are giving consideration to paying for the decryption tool but the URL provided via the Cryptolocker wallpaper minus the .exe specification does not work.

Is this because of the DNS sinkhole campaign mentioned in this thread?  We welcome any/all assistance in resolving this issue


Edited by JohnWHS, 25 October 2013 - 03:20 PM.


#11 Capt.Michaels

Capt.Michaels

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:44 PM

Posted 30 October 2013 - 10:04 AM

To JohnWHS
Currently, our last encounter with this was done in three ways. 1.) First, we eliminated the threat. 2.) Secondly, we did not foolishly pay the money. We used our backups the day before the infection started. We had to restore virtual servers and files, but this COMPLETELY elminited the problem. 3.) Thirdly, we profusely beat the end user for doing this. No j/k, we had to educate the users to please be very clear not to click on anything just, because it "looks" something for you. Pffft, and you know that battle will end. Hence, the profuse beatings :o)



#12 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 PM

Posted 30 October 2013 - 10:38 AM

Looks like I was right and wrong about this. It turns out it was Kaspersky and ThreatTrack labs who sinkholed the domains:

 

http://www.securelist.com/en/blog/208214109/Cryptolocker_Wants_Your_Money

 

It seems they are only doing it for monitoring at this point though.  As the infection generates 1000 new domains a day, sinkholing is not going to be realistic.



#13 LilBambi

LilBambi

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:44 PM

Posted 30 October 2013 - 02:40 PM

Wow, 1,000 domains a day...depressing!

 

Hey Grinler/Lawrence! Thank you so much for the CryptoLocker Guide/FAQ! I have posted about this piece of crapware and your Guide/FAQ on one of my blogs here.

 

Have to rethink how we back up too if all drive letters on the computer, including backup drives are available to this piece of ransomeware, eh?


Bambi
AKA Fran
My Public Key for Email :: BambisMusings Blog
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)


#14 Grinler

Grinler

    Bleep Bleep!

  • Topic Starter

  • Admin
  • 40,095 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:44 PM

Posted 30 October 2013 - 03:20 PM

Thanks Fran. Yup, this type of ransomware is a big wake up call.

#15 LilBambi

LilBambi

  • Members
  • 126 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:07:44 PM

Posted 30 October 2013 - 03:40 PM

For sure!

 

Having to rethink how folks do things. And sadly, it is much less convenient and they are not happy about it.


Bambi
AKA Fran
My Public Key for Email :: BambisMusings Blog
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users