Last updated: 
5 days 9 hours ago
Blog Manager
We are the Computer Security and Incident Response Team (CSIRT) for the Janet network. Part of Jisc's Security Operations Centre, our mission is to safeguard the current and future network security of Janet (steering the security policies for all Janet connections) and of our customers, creating a secure environment to conduct your online activities. Our primary function is monitor and resolve any security incidents that occur on the Janet network, with specialists tracking a range of platforms, including Unix, Linux and Windows.

NCA action on GameOver Zeus and Cryptolocker

Monday, June 2, 2014 - 16:39

As you may now be aware, the FBI and NCA are coordinating 'global day of action' against the Zeus-P2p and Cryptolocker families of malware. Law enforcement and industry partners will be collaborating to interrupt infrastructure vital to the malware's operation and to raise public awareness of these threats.

As part of this effort the Janet resolver service is directing domains generated by these two botnets to a sinkhole service run by one of our long term partners - Shadowserver. This will provide some measure of protection to systems using the service and allow us to report on infected machines as part of our normal processes.

The domains are generated by an algorithm and give the appearance of a 13 or 14 character pseudorandom string registered under the .ru TLD. As such there is minimal risk to any normal name resolution. Regardless, if you do notice any issues please contact us as soon as possible.

Many of you will not use the resolver service and if you wish to have a similar level of protection then you will need to take action yourselves to block these domains within your DNS resolvers. Please contact us for the list of domains to be blocked. Advice on how to block lists of domains is available at:

https://community.ja.net/library/janet-services-documentation/how-block-or-sinkhole-domains-windows-server-2008

https://community.ja.net/library/janet-services-documentation/how-block-or-sinkhole-domains-bind

Please remember that if you sinkhole or block these domains infected systems will remain infected. It is important that you also monitor the blocked or redirected DNS requests and then respond to them appropriately. If required, Janet CSIRT can do this for you. Please let us know.

As always, if you have any questions or concerns please do not hesitate to contact us. We will continue to publish updates to the situation via this mailing list, community.ja.net and twitter.

More coverage on this event is available from the NCA's press release. Brian Krebbs has written an informative post on these actions.

Comments

Hi,

Do you have the list of domain by any chance

Regards

Prasad

Thanks James,

I was also interested and did not know wher to go to get the list.

Kind regards,

Marta de Souza 

HI,

Please log a call with Supoprt and they should be able to provide you with the details

Regards

Prasad

HI,

Thanks for the information.

Managed to get the list from the Support

Regards
Prasad