Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptolocker - why not block the C&C?


  • Please log in to reply
1 reply to this topic

#1 medconn

medconn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:32 PM

Posted 17 November 2013 - 10:57 AM

I know that CryptoLocker uses "randomly generated" DNS names to talk to it's C&C machine, but surely it shouldn't be too difficult to reverse engineer the code, copy that list and to block them at the DNS level. I realise that IP level blocks wouldn't work, as the developers would simply "poison" the DNS with otherwise important IP addresses, making the collateral damage from that approach too much, but the DNS level looks feasible - what am I missing? 


Edited by medconn, 17 November 2013 - 10:58 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:32 AM

Posted 17 November 2013 - 03:36 PM

Hi medconn -

The Encryption is started after a "minor infection" is inserted on the system.

Once it is infected the Encryption has already taken place, and their server that infected that computer, may not be the one to supply the Decryption codes back to you.

 

I have reverse traced 2 linked IP addresses given so far, and these hopped over many links back as far as I could trace, them till they were lost somewhere out the back of Russia -

It went Russia > Scandanavia (may be Holland) > France > Britian > USA East coast > USA mid states > USA West coast - From there it may have hopped again, but I lost both ends of the trace after that.

This is just one reason why they are almost unable to be tracked from a single point .....

 

A long description, but these crooks have done their homework prior to the release of any Encryption.

 

The infection carrier is "nothing", it is the Encryption phase that causes the problem.

 

Thank You -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users