Advertisement
Advertisement

How to protect your PC from Gameover Zeus and CryptoLocker - everything you need to know

James Temperton
3 Jun 2014
Advertisement

How to remove Gameover Zeus and CryptoLocker, how to make your computer safe from Gameover Zeus and key questions answered

Anyone using a Windows PC should be taking immediate action to protect their computer from some of the most malicious and widespread malware ever seen.

In this guide we explain how to remove Gameover Zeus from your PC, how to remove CryptoLocker from your PC, how to recover files from CryptoLocker for free and explain everything you need to do and know about this major computer security threat.

Q: How can I tell if my PC is infected?

A: The FBI reckons over one million Windows PCs around the world are infected with Gameover Zeus, with the National Crime Agency (NCA) putting the UK figure at around 15,500.

People in the UK infected with Gameover Zeus are likely to be contacted by their ISP, with letters already being sent out. Even if you don't receive a letter, you should still act as if your computer is infected and carry out some important maintenance detailed below.

Q: How do I remove Gameover Zeus and Cryptolocker from my PC?

A: The NCA has listed several legitimate and safe anti-malware tools that can hunt down and remove Gameover Zeus from your computer. They all do broadly the same thing and should be installed alongside your existing antivirus and other security software. Gameover Zeus removal tools are available from

F-Secure (Windows Vista, 7 and 8)

F-Secure (Windows XP)

Heimdal (Microsoft Windows XP, Vista, 7, 8 and 8.1)

Microsoft (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)

Sophos (Windows XP (SP2) and above)

Symantec (Windows XP, Windows Vista and Windows 7)

Trend Micro (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

People should choose one of the removal tools and use it to check for Gameover Zeus and if it is present remove it from their computer. More details are available at CERT UK.

Q: If I've been infected, what else do I need to do?

A: You should make sure all software installed on your Windows PC is up to date and that where possible automatic updates are turned on.

Your Windows operating system should also be up to date with Windows Automatic Updates turned on. Your antivirus software must also be activated and up to date. The NCA has also advised anyone infected with Gameover Zeus to change all their passwords.

Q: What if my computer is already locked by CryptoLocker?

A: All is not lost if you've already been infected with CyrptoLocker and it has encrypted your computer and demanded a ransom to unlock it.

While we'd never recommend paying the ransom, for some people this may be the only option. At the time of writing the CryptoLocker ransom is around £150.

The tough lesson to learn is that you should always back up everything on your computer to an external hard disk. If you don't have a back-up and you don't want to pay the ransom then could still be a way to access at least some of your files.

Click here for our expert guide on how to recover files from CryptoLocker for free.

Q: Why only two weeks?

A: This is an educated guess by the FBI and NCA and there isn't some giant countdown timer ticking in a room somewhere. Based on the strength of their advice it seems safe to assume that two weeks is the very minimum amount of time that Gameover Zeus will be disrupted.

Q: What have the FBI, NCA and Europol done?

A: The international operation has taken control of the command and control servers used by the criminal organisation behind Gameover Zeus. These are the machines that control the network of infected computers and allow hackers to control them.

With the control servers under police control, hackers are temporarily unable to manage the hijacked computers.

Once new control servers are setup elsewhere, Gameover Zeus will continue to operate as normal. It is estimates it will take the people behind the attack at least two weeks to do this.

Q: What are Gameover Zeus and CryptoLocker?

A: Gameover Zeus is a banking trojan designed to steal online banking details and take money from your account. CryptoLocker is a piece of malicious software known as ransomware. It encrypts everything on a Windows PC and then demands payment to unlock it again.

People are normally infected by clicking on attachments or links in emails. These phishing emails may look genuine and appear to come from courier companies, banks, mobile phone companies or contain invoices and voicemail messages.

The phishing emails are generated by other victims' computers operating as part of a huge, worldwide network of infected machines, known as a botnet.

If the malicious file in the email is opened on an unprotected computer, Gameover Zeus is downloaded and installed, linking the victims' computer to the botnet. Gameover Zeus hides in the background and monitors user activity, when it detects banking or other private information this information is sent to the criminals.

If a Gameover Zeus is unable to do this, it can also install CryptoLocker to encrypt everything on a computer and demand a ransom to unlock it. This can be anywhere between £150 and £300 in the UK.

Q: Will Gameover Zeus and CryptoLocker come back online?

A: Yes, without a doubt. The two week window set by the FBI and NCA is purely arbitrary. They are certain that the disruption caused to Gameover Zeus and CryptoLocker won't last long and that the well-funded and highly organised criminal network behind it will get it back online and running.

Q: What countries has Gameover Zeus targeted?

A: Data from Symantec reveals that 13 per cent of computers affected by Gameover Zeus are in the US, with Italy close behind on 12 per cent. The United Arab Emirates is home to eight per cent of infected computers, with Japan and the UK both on seven per cent.

Q: How are Gameover Zeus and CryptoLocker related?

Gameover Zeus is designed to make big money for criminal gangs but sometimes it fails. If it can't get hold of your banking details, there are other ways it can get at your money.

Some strains of Gameover Zeus are known to install CryptoLocker. Once this ransomware is installed it locks everything on your computer and demands a ransom fee is paid.

Q: Who's behind Gameover Zeus?

A: Gameover Zeus and its CryptoLocker spin-off are the work of a well-organised and sophisticated criminal gang. The FBI has placed Russian hacker Evgeniy Mikhailovich Bogachev on its most wanted list.

Known online as 'lucky12345', 'slavik' and 'Pollingsoon', the 30-year old is alleged to have worked as an administrator on Gameover Zeus and has been indicted on charges of conspiracy, fraud and computer abuse in the US.

Why do I have to keep changing my passwords?

A: The last couple of months has seen numerous calls for people to reset and change passwords following attacks and data breaches. The advice should be followed but that doesn't mean it isn't very annoying.

If you've already changed your passwords after Heartbleed, then after the eBay data breach, you should do it again for Gameover Zeus. But it doesn't have to be this way.

Now is the time to start using a password manager such as LastPass. This makes your passwords more secure, harder to hack and means you don't need to keep changing them after every major data breach and security share.

Read more

Tutorials