Recently the UK’s National Crime Agency (NCA) announced that they have taken down a large cyber criminal gang working in conjunction with other international intelligence and crime fighting agencys across the world including the FBI. It has halted the spread of a computer malware (malicious software) known as Gameover Zeus that holds your personal files to ransom.
The NCA believe that their interception and disruption to the servers hosting this malware has given us a two week window to protect ourselves against this threat before the criminal gang regroup and start spreading and infecting computers worldwide again.
What is Gameover Zeus?
The malware Gameover Zeus (also known by GOZeus, and P2PZeus) is a malicious program designed to infect a users computer and intercept financial transactions that computers user makes. It has the ability to adjust the destination accounts of these financial transactions resulting in funds going into the accounts of the cyber criminals instead of the intended recipients. It can also detect that if an infected computer is not a viable target for intercepting financial transactions then it will install a powerful encryption program called CryptoLocker which encrypts personal files on the pc such as Pictures, Documents, Music and Video files. It then displays a ransom message informing the victim that the key to decrypt and regain access to their files has been sent to the cyber criminals servers and they have a limited time period to pay a ransom to get the key back or else the key will be destroyed and there will be no way of ever retrieving their files again. It is not clear if paying the ransom (usually amounting to 100’s of £’s) does actually allow the victim to decrypt their files again or whether it is just another way of extorting money from potential victims. Reports from around the internet are mixed, with some claiming they have got their files back and others saying that they paid the ransom and are still left with nothing.
What Can I Do To Protect Myself?
Victims of this attack are usually infected via an attachment to an email either reporting to be a .pdf or a .zip file so be extra vigilant when checking emails and particularly viewing attachments.
Make sure you have a good Internet Security system installed which is up to date.
Perform a full scan of your system to ensure that you are not already infected.
Run a check with an online scanning utility, good ones include:
F-Secure Online Scanner, Microsoft Safety Scanner, and Trend Micro Threat Cleaner.
Finally make sure you have got a backup of any important files, photos and documents on an external backup device such as a memory stick or external hard drive. Once your files are backed up make sure the device is removed from your computer. If you are unfortunate enough to fall victim to this malware your precious files would at least be safe from ransom.
What Happens After 2 Weeks?
The simple answer is nothing, the two week time period is simply an estimate by security agency’s as to how much time computer users have to prepare and protect themselves before new servers are set up by criminal gangs linked to or copying this method of extortion.
Microsoft announces that it has now released an update to fix the bug found in its Internet Explorer (IE) program a few days ago. The update patches a vulnerability described in Security Advisory 2963983 whereby code could potentially be executed on a victims computer remotely when they were using Microsoft’s Internet Explorer Browser. To read more about SA 2963983 and the bug follow this link: http://www.pccareuk.com/home/2014/04/security-vulnerability-found-in-ie/
Furthermore in a reversal of Microsoft’s stance on Windows XP being deemed end of life and no longer supported or having any further updates released for the Operating System, Microsoft have back tracked and released this fix for its ageing Windows XP platform.
This news has caused some controversy and some confusion by sending out mixed messages to Windows XP users that Microsoft will still support their operating system.
Our view at PC Care would be:Although Microsoft have allowed this one fix to be rolled out on to the XP system, we doubt very much they will release any more. This bug discovered in IE affected many versions of the browser from version 6 all the way through to version 11 and has been around for some considerable time affecting Windows XP, Vista, 7, 8 and 8.1. It has sparked many users to switch browser and start using alternatives such as Google Chrome or Firefox if they didn’t already. All these factors combined, time the bug has been around, the number of versions of Windows affected, severity of the bug, and the mass migration of users away from Internet Explorer caused Microsoft to have a one time change of heart. We don’t believe Microsoft will repeat this in the future and Windows XP users should not get their hopes up or be under any illusion that it will happen again. XP is dead to Microsoft and they will want to keep it that way.
Microsoft have recently announced (26/04/14) a serious security vulnerability in its Internet Explorer web browser. It affects version 6, 7, 8, 9, 10 and 11 of the program meaning that anyone running Windows XP, Vista, 7, 8, or 8.1 could be at risk. In Security Advisory 2963983 Microsoft describe a potential flaw that within Internet Explorer whereby a hacker could remotely execute code on a victim system and be able to create or take over a user account with the same permissions as the victim.
Quote from Microsoft Security Advisory Site:
The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.
As Internet Explorer is the preferred web browser for approximately 25% of worldwide web users and this flaw spans across multiple versions of the popular browser it is essential for anyone using Internet Explorer to be extra vigilant, ensure they have a good, up to date Internet Security Package installed, and make sure they have all the latest Windows Updates installed. You can always try using an alternative Web Browser such as Google Chrome or Mozilla Firefox while this issue is being fixed by Microsoft.
As of yet there is no patch/update for this vulnerability, but Microsoft says it is investigating the flaw and undoubtedly will have a fix out shortly.
It has recently been discovered that there is a severe vulnerability in the way sensitive data is handled and transmitted on some web servers using an encryption method known as OpenSSL.
OpenSSL stands for Open-source Secure Sockets Layer, and is used to encrypt sensitive data going between a users computer and a web server/website. OpenSSL has a function built in to it that periodically checks that a users computer is still connected to the server and the connection is alive. This function is known as the heartbeat (just like checking a persons pulse to see if they are alive). It is by exploiting this heartbeat function that fraudsters and cyber criminals could emulate these heartbeat checks and spoof the server into sending back sensitive information kept in its temporary memory or RAM. Such information could include users passwords, name, address, email address, and credit/debit card numbers.
What can you do to protect yourself?
I have seen several newspaper articles and supposed advice columns suggesting that everyone should immediately change all their on-line passwords for all the websites they use. This could potentially be the worst thing you could possibly do!. If the server has not been patched with an updated “FixedSSL” version of OpenSSL then potentially you could be logging into websites that are still compromised, updating you passwords and effectively sending them to the cyber criminals.
If you are concerned about any of the websites that you use, under no circumstances try to log into them. The first thing to do is to use an online checker (details of some good checkers are at the end of this post) They will validate that a server has been updated to patch the heartbleed bug. Only if the checking service reports that the website has been updated with the FixedSSL patch and is safe should you attempt to log in. Once logged in you can then update or change you passwords and security information. Most commonly used website are taking steps or already have fix this bug.
The top websites that were once vulnerable but have subsequently been patched and reported to be safe to use again are:
5. Yahoo Mail
There are potentially 100’s of thousands of other websites that either once were vulnerable, or still are. Just because a website no shows as being safe, does not necessarily mean that it has always been safe so it would still be wise to exercise caution and keep a close eye on any social media accounts, bank accounts, web mail accounts and on-line retail accounts for any suspicious activity/purchases/messages.
Good online checkers include:
https://lastpass.com/heartbleed/ – This site will validate if a site is currently safe to use, for how long it has been safe to use, as well as advice if it was once vulnerable. It will the offer recommendations on how you should proceed.
https://filippo.io/Heartbleed/ – This website will check and report if a website should be safe to use. Not as informative as the first but still helpful.
Finally for Google Chrome browser users there is a plugin called Stopbleed which will inform you if a website you are visiting is vulnerable to the Heartbleed bug or not. Remember if a site reports it is vulnerable, it does not mean the site is not safe to visit, just not safe to enter an personal or sensitive information in to it.
Stopbleed can be downloaded and installed into Chrome from here: Download Stopbleed for Chrome.