A new report from BitDefender warns that the content delivery network used by CryptoLocker is still up and running, and while it isn't serving the ransomware that made it famous, it's still a vital communications channel for various other threats.
In June, law enforcement targeted GameOver Zeus (GOZ) and disrupted the botnet's primary operations. At the same time, the GOZ takedown also led to law enforcement seizing servers that were central to CryptoLocker's operations, because the malware families shared most of the same backbone.
CryptoLocker was primarily delivered via spam, but a secondary delivery method focused on GOZ. The criminals behind the ransomware offered it to GOZ operators as a pay-per-install module.
However, June's efforts were short-lived, and while the CryptoLocker's services are offline, the core infrastructure used by the malware is still operational.
This poses a problem because existing CryptoLocker victims have no way to recover their files (even if they pay the ransom) because law enforcement shutdown the servers that delivered the keys needed to unlock the victim's files.
At the same time, because the delivery network is functional, criminals are able to use it for the Citadel botnet, Rogue anti-Virus campaigns, as well as other scams. So while CryptoLocker was highly profitable, earning some $27 million during its run, the network that spawned it is alive, and turning a profit despite law enforcement's best efforts.
"At the moment, the fate of CryptoLocker is undetermined. Infected computers all over the world are still trying to call home to pre-determine URL addresses created using the DGA algorithm, but they are unable to resolve the corresponding IP addresses," BitDefender's report speculated.
"However, the GameOver/Zeus family could be back online and we are prepared for an updated CryptoLocker with a new DGA or TOR connectivity to be delivered to the (still) infected computers and to new victims."
BitDefender's speculation may prove to be accurate. Last week, researchers at Malcovery Security detected several spam messages that contained a malicious payload that uses a domain generation algorithm (DGA) similar to GOZ.
"This new DGA list is not related to the original GameOver Zeus but bears a striking resemblance to the DGA utilized by that Trojan. In addition to a new DGA, the malware seems to have traded its Peer to Peer Infrastructure for a new Fast Flux hosted C&C strategy," Malcovery explained.
"This discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history."