Gameover Zeus – What Is It and What Can You Do About It?

What is all the fuss about?

Recently, the FBI together with authorities in several other countries, took down some key computer systems that were used to control infected computers around the globe and the infections were designed to steal usernames and passwords on the infected computers.

Those key computer systems are no doubt in the process of being rapidly replaced somewhere else in the world and as soon as they are up and running again they will resume communications with the infected computers and unleash an attack on as many computers that they can infect with the aim of stealing yet more usernames and passwords so that these can be used to steal your money!

What could happen to me and my computer?

Not much if you have an Apple Mac computer!  This nasty will only affect Windows-Based computers (because the largest proportion of the computers in the world are running Windows).  So us Apple Mac users can sit back with a smug grin on our faces 😀

What will the virus do?

If you are already infected or become infected in the future, initially the virus will (apparently) sit quietly and wait for you to login to your bank account online and then steal the login credentials (username and password) you use to access your account, which once it knows all the details, can then be used to empty your bank account into the criminals bank accounts.

If this first attempt to steal money from you fails (maybe you don’t use online banking, you don’t have a bank account or you don’t have much money in your bank account), or isn’t rewarding enough for the criminals behind this (who knows what constitutes enough money), then the second phase of the virus attack will kick in (CryptoLocker virus).

This second phase will encrypt the interesting user data on your computer (spreadsheets, documents, databases, pictures, email files etc) and then throw up a Ransom Demand screen asking you to pay around $300 in order to obtain the key to decrypt your data.

If you don’t pay the ransom demand within the time indicated on the Ransom Demand screen (showing an ever reducing count-down clock), then the key that can be used to decrypt your data will be deleted and you won’t be able to recover your data unless you have a backup of your files somewhere (if you use services such as DropBox or SugarSync or any other service that syncs your files into the Cloud, then this DOESN’T constitute a proper backup).

Could I already be infected and not know it?

Yes – in the UK it is estimated that around 15,000 computers will already be infected, worldwide, this is thought to be in the millions.

The infected computers will no doubt try to harvest email address from the local Windows address book / Outlook contacts and then send out an infected email to those locally harvested addresses.  Those recipients, unless they have their wits about them, may think the email is a genuine email because it comes from someone they know and of course open it, open the attachment and then they will be infected and then the process starts again.

If you are already infected, then your Internet Service Provider (ISP) may contact you (if the rumours are true) and tell you that you are infected.  IF YOU HEAR FROM YOUR ISP – DO NOT IGNORE THE WARNING!

What can I do about it?

McAfee have kindly produced a tool to scan for and remove the infection from an already infected computer and this can be downloaded here.  There is no harm in downloading the tool right now and checking your machine even if your ISP doesn’t contact you, so why not err on the side of caution and check your computer anyway?  This should make sure you aren’t currently infected.

Once you know you are clean, the best advice is to buy an external hard disk drive or a large capacity memory stick and backup ALL your critical personal data to the disk / memory stick and then unplug the disk / memory stick and keep it somewhere very safe.

If the disk / memory stick is kept connected to your computer, then the data on that will also become encrypted if you subsequently become infected, so keep your backed up data completely isolated from your computer and you should be fine.

Worst case, if you do get infected after you have taken your backup, then the virus can be stopped and you can recover your data from your external disk.

If you don’t backup your data and you do become infected, then there is still a small chance of recovering your files if you have a feature called Shadow Copies enabled on your computer (see the link to the left to find out how to enable them).

If you aren’t already infected, well done.  You should still backup your files and remain ever vigilant when opening new emails, even from people you already know that contain attachments or links to sites.

What’s in it for the criminals?

Well – the Cryptolocker virus that reared it’s head around October last year has supposedly netted the criminals around £60m from their ransom demands and even some Police forces have had to pay the ransom to get their data back, so clearly it’s well worth their while writing the virus and setting it loose into the world and no one is immune from attack.

If 1% of the supposed million + computers that are infected pay the ransom demand, then that’s about $3m in the bank.  Add to that the amount from bank accounts that get emptied, which presumably will have more than $300 in them, then if 5% of an infected 1 million computers who have $500 in their account get emptied, then we are talking about $125m in income alone.

You have been warned!

CryptoLocker Ransom Virus Cleanup

In case you haven’t discovered the CryptoLocker virus, it is a particularly nasty virus that sits unannounced on your computer and basically encrypts a whole variety of useful files that you would save with the following file extensions:

*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.pdf, *.eps, *.ai, *.indd, *.cdr, *.jpg, *.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c

The virus encrypts the files using a Public AND a Private key.  The only way to decrypt the files is to pay the $300 ransom asked of you which basically provides you with the Private Key to decrypt your files.  The virus gives you a countdown warning that if you don’t pay the ransom within the ever diminishing time, then the Private key will be destroyed and your data will be toast!

Having been called to deal with another CryptoLocker virus discovered on a new customer’s computer recently, the damage to the server was overcome by restoring all data from a recent backup but I was now looking at cleaning up the infected client’s computer (which had been removed from the LAN and switched off).

To stop the warning message appearing, I used Rkill (the iexplore.exe version – I find this works more often that using the rkill.exe version) to highlight the random .exe file that is running, but as there are usually two copies of the file running, once Rkill identifies the name of the file, it will kill one of the processes, but the 2nd will spawn another version of itself and so you find that the processes are still running.

A quick DOS TASKKILL command will kill both processes off at the same time (taskkill /f /im randomexefilename.exe)

Once the processes have been stopped, I then use Roguekiller to identify and clean up the computer, noting the name of the two .dll files that are created in c:\users\USERNAME\appdata\roaming and then scour the registry for those .dll files and the original randomexefilename, removing any traces that are found.  I also check to make sure the .dll and .exe files are removed too – you can’t be too careful.  The .exe file usually resides in c:\users\USERNAME\appdata\roaming\randomfoldername.

Once the registry is clean, you can then look at recovering local files from the Shadow Copies.  There is a good write up on BleepingComputer on how to do this, so I won’t expand on what’s written there.

During my cleaning of the computer today, I noticed that the folder that contained the randomexefilename.exe file was created back in July 2012 and the two .dll files in appdata\roaming were created on the 1st October 2013.  As I had a vague idea the infection came in via Email, I looked for odd emails on the 1st October in the users mailbox and noticed that there were several emails with the Subject: “Your Amazon.co.uk order #” which all contained attachments and were all .ZIP files.  Having deleted all those emails and checked the Anti-Spam logs on the server, the emails appeared to come from Hotmail.com accounts, so I tweaked the filters on the Anti-Spam Software on the server (Vamsoft ORF Fusion) to block all .ZIP file attachments (except from trusted sources).

So it would appear that this particular virus, or at least the origins of it may have been hiding dormant in the customer’s computer since July 2012 and then the opening of the .ZIP file attachment on the 1st October added more to the virus and then it finally completed its encryption of files a week or two later at which point it popped up its ransom demand.

This particular customer was lucky because they backup their files nightly and Shadow Copies were enabled on the client computer, so encrypted files could be recovered completely, but if you are reading this now and you have the warning and don’t have a backup, then you will need to pay the $300 ransom to get your files back.  If you kill the virus off and tidy up after it and don’t have a backup, you can kiss your files goodbye permanently.

Alan