Gameover Zeus – What Is It and What Can You Do About It?

What is all the fuss about?

Recently, the FBI together with authorities in several other countries, took down some key computer systems that were used to control infected computers around the globe and the infections were designed to steal usernames and passwords on the infected computers.

Those key computer systems are no doubt in the process of being rapidly replaced somewhere else in the world and as soon as they are up and running again they will resume communications with the infected computers and unleash an attack on as many computers that they can infect with the aim of stealing yet more usernames and passwords so that these can be used to steal your money!

What could happen to me and my computer?

Not much if you have an Apple Mac computer!  This nasty will only affect Windows-Based computers (because the largest proportion of the computers in the world are running Windows).  So us Apple Mac users can sit back with a smug grin on our faces 😀

What will the virus do?

If you are already infected or become infected in the future, initially the virus will (apparently) sit quietly and wait for you to login to your bank account online and then steal the login credentials (username and password) you use to access your account, which once it knows all the details, can then be used to empty your bank account into the criminals bank accounts.

If this first attempt to steal money from you fails (maybe you don’t use online banking, you don’t have a bank account or you don’t have much money in your bank account), or isn’t rewarding enough for the criminals behind this (who knows what constitutes enough money), then the second phase of the virus attack will kick in (CryptoLocker virus).

This second phase will encrypt the interesting user data on your computer (spreadsheets, documents, databases, pictures, email files etc) and then throw up a Ransom Demand screen asking you to pay around $300 in order to obtain the key to decrypt your data.

If you don’t pay the ransom demand within the time indicated on the Ransom Demand screen (showing an ever reducing count-down clock), then the key that can be used to decrypt your data will be deleted and you won’t be able to recover your data unless you have a backup of your files somewhere (if you use services such as DropBox or SugarSync or any other service that syncs your files into the Cloud, then this DOESN’T constitute a proper backup).

Could I already be infected and not know it?

Yes – in the UK it is estimated that around 15,000 computers will already be infected, worldwide, this is thought to be in the millions.

The infected computers will no doubt try to harvest email address from the local Windows address book / Outlook contacts and then send out an infected email to those locally harvested addresses.  Those recipients, unless they have their wits about them, may think the email is a genuine email because it comes from someone they know and of course open it, open the attachment and then they will be infected and then the process starts again.

If you are already infected, then your Internet Service Provider (ISP) may contact you (if the rumours are true) and tell you that you are infected.  IF YOU HEAR FROM YOUR ISP – DO NOT IGNORE THE WARNING!

What can I do about it?

McAfee have kindly produced a tool to scan for and remove the infection from an already infected computer and this can be downloaded here.  There is no harm in downloading the tool right now and checking your machine even if your ISP doesn’t contact you, so why not err on the side of caution and check your computer anyway?  This should make sure you aren’t currently infected.

Once you know you are clean, the best advice is to buy an external hard disk drive or a large capacity memory stick and backup ALL your critical personal data to the disk / memory stick and then unplug the disk / memory stick and keep it somewhere very safe.

If the disk / memory stick is kept connected to your computer, then the data on that will also become encrypted if you subsequently become infected, so keep your backed up data completely isolated from your computer and you should be fine.

Worst case, if you do get infected after you have taken your backup, then the virus can be stopped and you can recover your data from your external disk.

If you don’t backup your data and you do become infected, then there is still a small chance of recovering your files if you have a feature called Shadow Copies enabled on your computer (see the link to the left to find out how to enable them).

If you aren’t already infected, well done.  You should still backup your files and remain ever vigilant when opening new emails, even from people you already know that contain attachments or links to sites.

What’s in it for the criminals?

Well – the Cryptolocker virus that reared it’s head around October last year has supposedly netted the criminals around £60m from their ransom demands and even some Police forces have had to pay the ransom to get their data back, so clearly it’s well worth their while writing the virus and setting it loose into the world and no one is immune from attack.

If 1% of the supposed million + computers that are infected pay the ransom demand, then that’s about $3m in the bank.  Add to that the amount from bank accounts that get emptied, which presumably will have more than $300 in them, then if 5% of an infected 1 million computers who have $500 in their account get emptied, then we are talking about $125m in income alone.

You have been warned!

Update WSUS to show Windows 8 Computers as Windows 8 not Windows XP

If you have a server running Windows Server Update Services 3.0 SP2 (SBS 2003 / SBS 2008 / SBS 2011 etc) and you also have some Windows 8 clients that you have joined to the domain, they will probably show up in WSUS as Windows XP Clients not Windows 8!

To resolve this, please install the following patch from Microsoft:

http://support.microsoft.com/kb/2734608/en-us

Once installed, you should see the Windows 8 clients reported as Windows 8.

Windows 8 – After actually using it for 24 hours

My first impressions of Windows 8 were not very favourable as like most people, I am a creature of habit and change for the sake of change doesn’t sit well with me, so seeing the new Metro UI on Windows 8 for the first time when I installed the Release Candidate onto a PC for testing was a little bit of a shock to the system to say the least.

I had ignored Windows 8 for as long as I possibly could but being in IT Support it wasn’t long before some of our customers had bought a new PC / laptop with Windows 8 on it and ultimately I would end up having to support it, so felt that it was time to take my head out of the sand and swallow the pill, however bitter it was going to taste.

I had also read Mark Minasi’s recent newsletter about Windows 8 and the Surface Tablet (not something that is going to be purchased by me – I love my iPad / iPhone) and decided that perhaps it might not be quite as horrendous as I had first thought it might be.

So I took the already burned DVD with Windows 8 Enterprise on it home and popped it into my laptop and let it install (I decided upon a fresh installation for cleanliness, which is usually a much better way to install Windows).

Once installed, it took a little while to figure out where to find everything but after finding the desktop, customising it to add things like Computer / Control Panel / Networks etc, my favourite background photo of a Tornado GR4 flying past me at Biggin Hill Air Show, I already began to feel at home again and it wasn’t long before I had joined the office domain from home (via my LAN to LAN VPN), had installed Office 365, configured my various email accounts (you can never have too many!) and various other bits of software and was merrily using Windows 8 just as I had done with Windows 7.

Not sure I’ll ever get to like the Tiles on the Metro UI, but then I didn’t ever think I would like Windows 8, so watch this space.

Activating Windows didn’t work initially as it apparently couldn’t find the Internet, despite browsing working happily, so I searched for a solution and ended up using slmgr.vbs to get it activated using an Administrative Command Prompt (slmgr.vbs /ipk ABCDE-FGHIJ-KLMNO-PQRST-UVWXY followed by slmgr.vbs /ato).

The next problem I had was installing some software which needed to install .NET Framework 3.5.  Now .Net Framework 4.5 comes pre-installed on Windows 8, but to get 3.5 installed seemed a little tricky as yet again, it couldn’t seem to find the internet!  What the heck was going on?  Trying to add it again from Control Panel> Programs and Featrues> Turn Windows Features on or off failed for the same reason, so I was beginning to get a bit frustrated.

After a bit of searching using a well-known search Engine (that doesn’t rhyme with Ping), I came upon an article that allowed me to manually install it using the command prompt again!  Is there a pattern forming here or am I suffering from a ‘feature’ of the version I happened to download from Technet?

So, with .NET Framework 3.5 installed, I could complete the Office 365 installation / customization and install other software that wouldn’t install without it (Roxio RecordNow Premier).

I am now trying to install Skype, so search for it in Chrome (I stopped using IE a long time ago – despite being forced to use it on a few Microsoft sites otherwise it just doesn’t work) and it suggests I visit the Microsoft Store, which I do, then just type Skype and it finds the App.  I go to install it and it insists that I log in to be able to install it using a Microsoft Account which I find a little annoying.  I just want to install it!  So having signed in using my seldom used hotmail account, I am allowed to install it and off I go.

One feature I have just found is the ability to turn off the Live Tiles – excellent – most are now being turned off 🙂 (Sport / Finance / Travel / People etc) – I don’t like the constant moving tiles as it is annoyingly distracting, especially for things I couldn’t care less about.

Windows 8 Music is now happily playing my iTunes music, so that’s a useful feature and the added information about artists that is available for each artist is quite nice to have.

So – all in all, the rollercoaster ride that I thought I was going to have with Windows 8 hasn’t materialized and despite not being a fan of the Metro UI, I am not rushing to switch back to Windows 7.

If you are debating whether to make the switch to Windows 8 and are used to Windows 7, then there isn’t that much to be upset about as they are virtually one and the same, you just lost the Start Menu Flag and gain lots of pretty colour tiles instead!  Once you have worked out how to switch to the desktop using the Desktop Tile, you are back in home territory and should be feeling warm and cosy again.  My laptop isn’t touch-screen capable, so using a keyboard / mouse is what I am used to and although I now have to press the Windows Key more than I ever have before, I can get used to it.

If you are switching from Windows XP as I am sure one or two are, then it will be quite a radical change and may take some getting used to, but in all fairness, I would take the plunge as you won’t be disappointed (once you are a little bit more familiar with Windows 8).

Alan