“More than 15,000 machines in the United Kingdom are believed to have been infected!”, people have “just two weeks to protect themselves before it attempts to empty their bank accounts!”, the virus “may be costing UK computer users millions of pounds!”.  What is Gameover Zeus, what is CryptoLocker, what should I do?  Matt Kirby investigates.

So, should I be worried?

The short answer is (as always!) if you have up-to-date anti-virus and don’t open dodgy looking emails you should be fine.  If you don’t use a Windows PC you’re even safer from these viruses – as Gameover Zeus and CryptoLocker only attack Windows machines.

So what’s happened?

Gameover Zeus is a new variant of a virus that attempts to steal login information for things like online banking. If it finds something interesting it sends these details to Command & Control (C&C) servers run by hackers.  The hackers then use these logins to access bank accounts, steal all your money, and buy expensive things.  At least that was their plan.

The FBI, in association with other law-enforcement agencies all over the world, have managed to disrupt this plan by severing the connections to the C&C servers, thereby preventing the virus reporting anything useful to the hackers.  Additionally they have passed details of these servers to ISPs (Internet Service Providers), so they monitor any connection attempts to these servers – and alert the user that they are infected.

This is a fantastic result for the forces of good over evil, however  the UK’s National Crime Agency (NCA) issued a press release saying “Two-week opportunity for UK to reduce threat from powerful computer attack“.  Rather than saying “Yay!  We stopped the hackers!” they made it sound like all our bank accounts will be empty in a fortnight.

However well intentioned the NCA’s alert was it arguably started a panic, and the UK media (in their usual balanced tone, as they did with the Heartbleed bug)  made it sound like the sky is falling.

So what’s the truth?

In order to end up with an empty bank account because of this virus, the following things need to happen:

• You need to receive (and open) a virus-laden email (if you have a spam-filtering system in place this is unlikely to happen)
• The PC you are on either no anti-virus, or it’s not up-to-date (if you don’t have up-to-date anti-virus stop reading now and get some!)
• The ISP you are using fails to notice that your PC is trying to connect to the hackers, so they don’t warn you
• You use online banking on this PC after being infected
• Your bank doesn’t use “two-factor” security and also asks for your full password every time you login (most banks only ask for partial passwords at login, or require you to enter a generated code from a two-factor device)
• The hackers manage to get new C&C servers up and running and divert their virus to the new servers (the NCA estimated two weeks, but I don’t know where they have plucked that number from)

So, thanks to the work of the FBI and others it’s unlikely that Gameover Zeus will empty bank accounts across the nation, however there is something scarier lurking beneath…

So what’s the really scary part?!

If Gameover Zeus doesn’t find anything interesting on your PC (so you don’t use it for online banking, or possibly if it can’t phone home) it invites one of it’s friends over to play – CryptoLocker.

CryptoLocker is undoubtedly the scariest virus to date.  If you are infected it starts encrypting all of your documents and photos, including on any network drives on servers you have access to.  When it’s finished doing it’s thing it pops up a notice saying that you can retrieve your documents if you pay them a ransom.  The price varies, but it’s usually priced in Bitcoin, and usually equates to around £300 – £500.

The scary part is that CryptoLocker is very well designed.  Previous viruses that tried similar things usually had a flaw or work-around – so if you were infected you could usually do something to get everything back without paying the ransom if you acted quickly enough.

However CryptoLocker has been designed with high-level encryption that’s practically impossible to crack, and it’s been implemented in such a way that so far no-one has been able to bypass the virus.

If you are infected with CryptoLocker you have three options:

• Rebuild your PC, and restore date from backup
• Pay the ransom
• Kiss your data goodbye

We’ve been contacted by two companies who have been hit by CryptoLocker who didn’t have good backups in place so their only realistic option was to pay the ransom.  This is unfortunate as it encourages the hackers to continue – but they’ve priced the ransom at a level lower than the value of the ransomed data – so paying is usually the only option if you don’t have good backups.

Once again (as with all viruses) CryptoLocker is only an issue if you don’t have up-to-date anti-virus, and you have a habit of opening dodgy-looking emails.

I don’t have anti-virus!  I’m scared!

You should be!

Your work PC should be covered by anti-virus provided by your employer – ask your IT department or consultant (such as us!) if you are unsure.

For your personal machine there is a wide variety of anti-virus systems that are available – and some are even free.  The best of the free ones are either Avast! or AVG.  If you don’t have any anti-virus at all install one of these NOW!

Even if you do have anti-virus you should avoid opening any dodgy-looking emails  – if an email comes in from a person or company you don’t have any dealings with it’s highly likely it’s spam and should be deleted.  Only open attachments that you are expecting, and only from people that you know and trust.

Random email, from a random company, asking you to open the attachment?  Bin it!

Tags: hacking security two-factor authentication virus