NCA action on GameOver Zeus and Cryptolocker
As you may now be aware, the FBI and NCA are coordinating 'global day of action' against the Zeus-P2p and Cryptolocker families of malware. Law enforcement and industry partners will be collaborating to interrupt infrastructure vital to the malware's operation and to raise public awareness of these threats.
As part of this effort the Janet resolver service is directing domains generated by these two botnets to a sinkhole service run by one of our long term partners - Shadowserver. This will provide some measure of protection to systems using the service and allow us to report on infected machines as part of our normal processes.
The domains are generated by an algorithm and give the appearance of a 13 or 14 character pseudorandom string registered under the .ru TLD. As such there is minimal risk to any normal name resolution. Regardless, if you do notice any issues please contact us as soon as possible.
Many of you will not use the resolver service and if you wish to have a similar level of protection then you will need to take action yourselves to block these domains within your DNS resolvers. Please contact us for the list of domains to be blocked. Advice on how to block lists of domains is available at:
Please remember that if you sinkhole or block these domains infected systems will remain infected. It is important that you also monitor the blocked or redirected DNS requests and then respond to them appropriately. If required, Janet CSIRT can do this for you. Please let us know.
As always, if you have any questions or concerns please do not hesitate to contact us. We will continue to publish updates to the situation via this mailing list, community.ja.net and twitter.