Spyware and Viruses

GameOver Zeus

GameOver Zeus (aka P2PZeuS) was designed by Russia and Ukrainian criminals to access financial information stored on your computer and to capture the credentials you use to enter online banking or shopping sites.

The malware works by creating a botnet, a network of computers, which spreads the viruses and transfers banking information back to the criminals. This information is then used to initiate or hijack electronic money transfers and direct money into the criminals’ own bank accounts.

Up to a million machines worldwide are thought to have been infected with GameOver Zeus. The FBI believes that GameOver Zeus has been responsible for $100 million in losses so far, while Europol puts the figure of stolen cash at €75 million.

If the GameOver Zeus malware doesn’t find any financial information on your PC, it will install CryptoLocker, a form of ransomware. This locks your computer’s hard drive, preventing access to everything you have stored on it. The software demands a ransom to unlock the drive.

Almost 250,000 computers worldwide have been infected with CryptoLocker since it first emerged. According to researchers in the University of Kent in England, up to 40 percent of CryptoLocker’s victims end up paying the ransom. The FBI estimates that $27m in ransom was paid in the first two months after this virus became active.

Of course, paying the ransom will not unlock your computer. How you can get rid of CryptoLocker (aka the Ukash or, in Ireland, Gárda Síochána virus) and unlock your computer was discussed in a previous article in this series

How you get infected with GameOver Zeus

GameOver is spread in the same way as most malware-via phishing emails that look as if they come from trusted sources. The emails contain attachments that store the malware, or links to a website which searches your system for vulnerabilities before installing the malware.

How GameOver Zeus works

If you computer is infected, GameOver Zeus will monitor your web browsing sessions. When you access banking, online shopping or other commercially sensitive websites, it will inject rogue code into your browser so it can collect financially sensitive information such as access codes and PINs.

The websites it targets are determined by the regular-expression-based rules contained in the malware’s configuration file.

For example, to steal login credentials for an Amazon online shop, GameOver Zeus monitors the URLs you access to see if they match the following type of expression: http.*?://.*?amazon..*?/.*?, which is known as a regular expression. Once it has found an URL that includes the word ‘amazon’, the malware will inject the rogue code into your browser.

This regular expression, however, matches not just the URLs for Amazon’s websites, but also any other URL that contains the word ‘amazon’. This matching anomaly allows your online computer maintenance company to trick the virus into revealing its presence in your browser.

How GameOver can be detected

To find out whether your browser has been infected with GameOver Zeus, you need to go to an online maintenance website.

The maintenance team will have set up a special test page that includes the sort of code found in online banking or shopping. Open that page. The page will perform a check on itself to detect whether the code for GameOver was added when you opened the page.

It does so by searching for the string ‘LoadInjectScript’. If the string is found on the page, it means that GameOver Zeus has infected your browser and has to be removed.

The test is not perfect because the malware doesn’t support 64-bit browsers. This means that the test only works for 32-bit versions of Internet Explorer, Mozilla Firefox and Google Chrome, which are still the most common versions of these browsers.

However your online computer maintenance provider should also have an online scanner that can detect and remove GameOver Zeus.

Rather than having to remove the virus, it would be better to prevent it from getting into your computer in the first place.

How to protect yourself from GameOver Zeus

There are plenty of things you can do to protect yourself from the GameOver virus or indeed any virus.

Protect your passwords

Unencrypted passwords should not be stored on your computer lest they are found by GameOver Zeus or another malware programme.

There’s nothing wrong with using an old-fashioned pen and a slip of paper to keep your passwords in your wallet. You can also enter them in a disguised form as a draft text message which you save in your mobile phone.

Just remember to keep a second copy in a safe place.

Change your passwords regularly

Your original passwords may have been compromised by GameOver Zeus and CryptoLocker, or indeed any other malware. If so, they can be used to harvest important information you store in your computer.

So changing your passwords on a regular basis is only common sense.

Don’t use an administrator account to access the internet

You should set up your computer so you have two separate accounts on your PC-one an ‘administrator’ account, the other a user account.

The ‘administrator’ account would give you access to the entire system in your computer and would enable you to make changes such as installing software or adding a peripheral such as a printer.

The activities undertaken through the user account should be restricted so it can only be used for everyday activities such as creating or amending files, sending email or browsing the internet.

You can then protect yourself from 90 percent of malware attacks by not using the administrator account for accessing the internet.

Keep your anti-virus software up to date

It is only common sense to ensure that you have reliable anti-virus software installed and that it is up-to-date. But you need to use it-by running regular scans, at least once a week.

You also need to ensure that your operating system and applications are up to date.

Microsoft users can do this by using the ‘Check for Updates’ function in Windows Update, while Mac users can go to ‘Software Update’ on the System Preferences menu.

Don’t open suspicious emails

Do not open email attachments unless you are certain they are authentic.

Be highly suspicious of the following kinds of emails:

  • Messages from people you don’t know.
  • A message containing misspellings designed to fool spam filters (eg, a zero instead of the letter ‘o’).
  • A message with an offer that seems too good to be true.
  • An email in which the subject line and contents do not match.
  • A message containing an urgent offer end date (eg, ‘Buy now and get 50% off’).
  • An email with a request to forward an email to other people, especially if it offers money for doing so.
  • A message warning about a virus.
  • Emails with attachments that include.exe files.

Back up your files

All of your files, such as documents and photos, should be regularly saved to an external piece of hardware, for example, an external hard drive, CD or DVD, or a USB stick.

This means your files will not be lost if your computer is attacked or breaks down, and you have to reinstall the operating system.

Remove viruses as soon as you discover them

You should use your anti-virus software to delete or quarantine viruses as soon as you discover them. Don’t learn to ‘live-with-them’.