Police tell UK public they have only hours to combat GameOver Zeus malware

Two weeks ago, the National Crime Agency had a scary message for computer users up and down the United Kingdom.

NCA warns public

That was Monday 2 June. At the time of writing it's late in the evening on Monday 16 June.

By my reckoning, therefore, the "two week opportunity for [the] UK to reduce [the] threat from a powerful computer attack" can be considered well and truly over.

But - it turns out - I'm wrong.

On Friday, the NCA snuck out a new press release, saying that British computer users have been granted some extra time to take action and remove the Gameover Zeus malware from their PCs.

It hasn't received anything like the press attention that the NCA's initial release did.

NCA deadline extended

On Monday 2 June, the NCA announced that an international operation had temporarily weakened the global network of infected computers, providing a particularly strong two-week opportunity for members of the public to rid themselves of the malware and help prevent future infection.

By updating security software, running system scans to detect and clear infections, and checking that computer operating systems are up to date, individuals and businesses can take advantage of the criminal network’s relative weakness. The NCA strongly recommends taking these steps as soon as possible before midnight on Tuesday 17 June.

GameOver Zeus (also known as GOZeuS or P2PZeuS) is an extremely sophisticated incarnation of the familiar Zeus Trojan horse. It uses peer-to-peer (P2P) technology to hide its infrastructure, in an attempt to make it harder for law enforcement and security vendors to shut it down.

But, two weeks ago, the authorities - working with ISPs and members of the computer security industry - seized control of a large amount of the internet infrastructure being used by the GameOver Zeus and CryptoLocker threats.

What's odd is that the NCA's take on the whole thing was to send out a somewhat scary press release telling British computer users that they had best take action now to clean-up their computers if they were affected, whereas the FBI's announcement conveys no urgency whatsoever for the American public to do anything.

In fact, the NCA did such a good job of frightening the bejeezus out of Brits, sending thousands and thousands of people scurrying for information about what action they should take, that they managed to bring down the government-backed Get Safe Online website.

GetSafeOnline

The NCA hasn't made that mistake this time, posting information for the public on a variety of sites including CyberStreetwise, GetSafeOnline and CERT.

Furthermore, this latest NCA press release (just like the first) offers no explanation of why the British public (and seemingly not the rest of the world affected by this global botnet) have such a strict deadline to take action.

GameOver Zeus / CryptoLocker infections

Is it that the authorities can only disrupt the botnet's infrastructure for so long before it grabs back control over the infected PCs, or have the courts only allowed the computer crime cops a limited time to re-direct victims' PCs away from criminal servers and in the direction of servers controlled by the good guys instead?

GoZeus and the policeMy hunch is the latter, but it doesn't really explain the different approaches taken by the FBI and the British National Crime Agency.

It would be terribly interesting to know what's really going on. After all, more details might actually stir more people into taking the required action.

Unfortunately, if your computer has been compromised by GameOver Zeus you won’t be able to tell with the naked eye. You need good security software to clean-up your infection, and remove affected computers from the internet until they are safe to reconnect.

At the time of its first alert, the NCA said that internet service providers would be contacting users whose computers were believed to have been compromised.

There's no word of that in the latest press release, and I haven't actually heard of anyone who has been notified by their ISP of a potential infection by GameOver Zeus. Nonetheless, it sounds like that would be very useful if that has happened.

One wonders if more details will emerge after midnight on Tuesday.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

No comments yet.

Leave a Reply