Gameover Zeus – What Is It and What Can You Do About It?

What is all the fuss about?

Recently, the FBI together with authorities in several other countries, took down some key computer systems that were used to control infected computers around the globe and the infections were designed to steal usernames and passwords on the infected computers.

Those key computer systems are no doubt in the process of being rapidly replaced somewhere else in the world and as soon as they are up and running again they will resume communications with the infected computers and unleash an attack on as many computers that they can infect with the aim of stealing yet more usernames and passwords so that these can be used to steal your money!

What could happen to me and my computer?

Not much if you have an Apple Mac computer!  This nasty will only affect Windows-Based computers (because the largest proportion of the computers in the world are running Windows).  So us Apple Mac users can sit back with a smug grin on our faces 😀

What will the virus do?

If you are already infected or become infected in the future, initially the virus will (apparently) sit quietly and wait for you to login to your bank account online and then steal the login credentials (username and password) you use to access your account, which once it knows all the details, can then be used to empty your bank account into the criminals bank accounts.

If this first attempt to steal money from you fails (maybe you don’t use online banking, you don’t have a bank account or you don’t have much money in your bank account), or isn’t rewarding enough for the criminals behind this (who knows what constitutes enough money), then the second phase of the virus attack will kick in (CryptoLocker virus).

This second phase will encrypt the interesting user data on your computer (spreadsheets, documents, databases, pictures, email files etc) and then throw up a Ransom Demand screen asking you to pay around $300 in order to obtain the key to decrypt your data.

If you don’t pay the ransom demand within the time indicated on the Ransom Demand screen (showing an ever reducing count-down clock), then the key that can be used to decrypt your data will be deleted and you won’t be able to recover your data unless you have a backup of your files somewhere (if you use services such as DropBox or SugarSync or any other service that syncs your files into the Cloud, then this DOESN’T constitute a proper backup).

Could I already be infected and not know it?

Yes – in the UK it is estimated that around 15,000 computers will already be infected, worldwide, this is thought to be in the millions.

The infected computers will no doubt try to harvest email address from the local Windows address book / Outlook contacts and then send out an infected email to those locally harvested addresses.  Those recipients, unless they have their wits about them, may think the email is a genuine email because it comes from someone they know and of course open it, open the attachment and then they will be infected and then the process starts again.

If you are already infected, then your Internet Service Provider (ISP) may contact you (if the rumours are true) and tell you that you are infected.  IF YOU HEAR FROM YOUR ISP – DO NOT IGNORE THE WARNING!

What can I do about it?

McAfee have kindly produced a tool to scan for and remove the infection from an already infected computer and this can be downloaded here.  There is no harm in downloading the tool right now and checking your machine even if your ISP doesn’t contact you, so why not err on the side of caution and check your computer anyway?  This should make sure you aren’t currently infected.

Once you know you are clean, the best advice is to buy an external hard disk drive or a large capacity memory stick and backup ALL your critical personal data to the disk / memory stick and then unplug the disk / memory stick and keep it somewhere very safe.

If the disk / memory stick is kept connected to your computer, then the data on that will also become encrypted if you subsequently become infected, so keep your backed up data completely isolated from your computer and you should be fine.

Worst case, if you do get infected after you have taken your backup, then the virus can be stopped and you can recover your data from your external disk.

If you don’t backup your data and you do become infected, then there is still a small chance of recovering your files if you have a feature called Shadow Copies enabled on your computer (see the link to the left to find out how to enable them).

If you aren’t already infected, well done.  You should still backup your files and remain ever vigilant when opening new emails, even from people you already know that contain attachments or links to sites.

What’s in it for the criminals?

Well – the Cryptolocker virus that reared it’s head around October last year has supposedly netted the criminals around £60m from their ransom demands and even some Police forces have had to pay the ransom to get their data back, so clearly it’s well worth their while writing the virus and setting it loose into the world and no one is immune from attack.

If 1% of the supposed million + computers that are infected pay the ransom demand, then that’s about $3m in the bank.  Add to that the amount from bank accounts that get emptied, which presumably will have more than $300 in them, then if 5% of an infected 1 million computers who have $500 in their account get emptied, then we are talking about $125m in income alone.

You have been warned!

Yet more Bad IT Support Companies!

Following on from my earlier Blog Post about bad IT Support Companies (here) I visited a potential new customer today to look over their IT.  The background information I got from the company was that they had used their existing IT Support Company (a one-man band) for the past 5 years or so and whilst mostly happy with their service, there were some outstanding issues that were being neglected and this was causing some concern to the company.

They had recently installed a ‘server’ and their IT wasn’t running as smoothly as they had anticipated, so wanted to get a 2nd opinion about their setup and my company (IT Eye Ltd) was recommended by a mutual company.

Once I arrived, I had a quick look over their IT and came across 4 PCs and a Netbook.  Asking where the server was, I was directed towards an HP xw6600 Workstation with a label on it suggesting it had come out of a company in New York City (NYC-XXXXXXXXX)!  I then used Remote Desktop to connect to the server and discovered that it was running SBS 2008.  This prompted the question about when the server was purchased and I was told May of 2012.  I then asked how much they had paid for the server and they advised me £2,500.

Okay – so they had a recently installed SBS 2008 server of which Exchange 2007 was now no longer supported by Microsoft because the Mainstream Support had now expired!  That begged the question why SBS 2011 wasn’t installed and to that there wasn’t an answer.  I then looked for a license sticker and couldn’t find one, so that also begged the question if they were actually legal.  This conversation continued to the other workstations and no conclusive evidence was available to suggest that they were even remotely compliant.

Looking at one of the XP workstations I saw that it was running XP pro, so checked to see if it was part of the Domain and saw that it was still configured as a Workgroup.

Data was being shared from the server, so at least the server was being used for something other than a drain on their electricity bill, but data was still being held on the Netbook and the data wasn’t being copied to the server or backed up, so was at risk of being lost.  No evidence of server backup was visible either.

I then asked about emails and found out that they were being hosted externally (1and1) and were being collected via Outlook configured as an SMTP/POP3 account and to allow for shared calendars to be accessed, they had turned to Google Mail.

I then pointed out that their server had Exchange built-in and that they need not pay for mail to be hosted externally or use Google Mail for shared Calendars as they could do everything on their own server.

At this point – I think they had decided that they were not being well looked after by their existing IT Support Company and I left them pondering my findings.  We will wait to hear from them and see how they want to proceed.


Users Connecting To Exchange 2010 (SBS 2011) Using Outlook 2010 Getting Password Prompts Randomly

I had an email from a customer recently who has an SBS 2011 server (with Exchange 2010) running virtually on an HP Proliant ML350 G6 server (which I had installed for them) and they were reporting that a couple of users were getting password prompts at random times.  This wasn’t affecting all users, so I knew it wasn’t a server-side issue, especially because I installed a trusted 3rd party SSL certificate from so asked a few questions and it seemed that this only happened after the machines had been left idle for a while.

My initial thoughts were that there might be some issues with the Network Card having Power Management enabled on it which allowed the PC to turn off power to the NIC to save energy, so I asked my customer to check the NIC settings and sure enough, the Power Management setting to “Allow the computer to turn off this device to save power” was enabled.  After disabling this option, the problem went away and has not returned.

Having had someone ask a similar question on and the solution being the same, I felt it rude not to share this discovery so that others might benefit from this discovery.

To disable this option, click on Start> Run> {type} ncpa.cpl {and press enter}, then right-click on your Wired / Wireless Network Card and choose properties.

On the Network Card Properties, click on the Configure Button (see image below)

then click on the Power Management Tab (see image below)

and make sure that the “Allow the computer to turn off this device to save power” check box is not ticked.

Once you no longer have the computer turning off the power to the network card, it shouldn’t lose connectivity to the server and thus won’t be prompting you for your credentials when you go to use Outlook again.