Group administrators:
NCA action on GameOver Zeus and Cryptolocker
As you may now be aware, the FBI and NCA are coordinating 'global day of action' against the Zeus-P2p and Cryptolocker families of malware. Law enforcement and industry partners will be collaborating to interrupt infrastructure vital to the malware's operation and to raise public awareness of these threats.
As part of this effort the Janet resolver service is directing domains generated by these two botnets to a sinkhole service run by one of our long term partners - Shadowserver. This will provide some measure of protection to systems using the service and allow us to report on infected machines as part of our normal processes.
The domains are generated by an algorithm and give the appearance of a 13 or 14 character pseudorandom string registered under the .ru TLD. As such there is minimal risk to any normal name resolution. Regardless, if you do notice any issues please contact us as soon as possible.
Many of you will not use the resolver service and if you wish to have a similar level of protection then you will need to take action yourselves to block these domains within your DNS resolvers. Please contact us for the list of domains to be blocked. Advice on how to block lists of domains is available at:
https://community.ja.net/library/janet-services-documentation/how-block-or-sinkhole-domains-bind
Please remember that if you sinkhole or block these domains infected systems will remain infected. It is important that you also monitor the blocked or redirected DNS requests and then respond to them appropriately. If required, Janet CSIRT can do this for you. Please let us know.
As always, if you have any questions or concerns please do not hesitate to contact us. We will continue to publish updates to the situation via this mailing list, community.ja.net and twitter.
More coverage on this event is available from the NCA's press release. Brian Krebbs has written an informative post on these actions.
Comments
Hi,
Do you have the list of domain by any chance
Regards
Prasad
Janet customers can obtain the list of domains by contacting CSIRT at irt@csirt.ja.net or phoning 0300 999 2340.
Thanks James,
I was also interested and did not know wher to go to get the list.
Kind regards,
Marta de Souza
HI,
Please log a call with Supoprt and they should be able to provide you with the details
Regards
Prasad
HI,
Thanks for the information.
Managed to get the list from the Support
Regards
Prasad
Thanks