For quite a while, we have noticed that an unknown organization has started redirecting, or sinkholing, CryptoLocker domains to sinkdns.org hostnames. When CryptoLocker attempts to communicate with certain domains it will instead be sent to a server hosted in the sinkdns.org domain. The connection will also contain the http headers Server: You got served! and X-Sinkhole: malware cryptolocker sinkhole. By sinkholing the domains, communication between an infected computer and the malware's Command & Control server is not able to take place. If CryptoLocker is unable to communicate with a C&C server and receive a public key used to encrypt files, it will endlessly loop till it can. By breaking this communication, security researchers aim to halt CryptoLocker before it further encrypts other infected computer's files.
Unfortunately, this sinkhole is not completely successful at this time. Tests have shown that CryptoLocker will eventually find a non-sinkholed hostname that is part of its Domain Generation Algorithm and begin encrypting the files. Furthermore, in order for a person to pay the ransom and decrypt their files they will need to be able to reach one of infection's C&C servers. If all its domains become blocked, then affected users will no longer be able to pay the ransom if they wish to do so. As you can see this is a double-edged sword.
At this time no organization has taken credit for the sinkhole campaign. If anyone has any information on the sinkdns.org domain, please let us know here. For more information about CryptoLocker, please see this guide: CryptoLocker Ransomware Information Guide and FAQ.