Warning: How to Protect Yourself From GOZeuS

June 03, 2014
by Anthony Tempest

You have two weeks to prepare before GOZeuS steals your personal and bank details.

It’s a strong statement to make, but that’s the severity of the situation.

A warning has been issued by the National Crime Agency (NCA) over the GOZeuS and CryptoLocker malware, which is designed to infect PCs and search them for confidential data, such as bank details. Different strains of GOZeuS can also install another piece of malware – CryptoLocker – which encrypts your whole hard drive and demands a fee in order to obtain the decryption key. If you don’t pay, your data is irretrievable.

It’s very likely that you’ve received a spam email that looks suspicious. Whether it’s the terrible spelling and grammar, or the strange attachment that you had no intention of clicking, you know it’s trouble. The problem with GOZeuS is that it comes from a known contact, who has also been infected by GOZeuS. This naturally increases the chance of someone opening an attachment, even if it does seem strange. Once the file has been downloaded, it executes and connects the infected PC to a BotNet (A network of computers infected with malware and controlled as a group without owners consent). The malware then sits in the background silently, waiting for an opportunity to capture any private data, including banking data. This information is transmitted back to the BotNet infrastructure where the criminals in control can access it.

If that isn’t sinister enough, a second attempt is waiting if the first attempt doesn’t work. CryptoLocker, again working in the background, encrypts users files and then presents the user with a pop up announcing what has happened. They then demand a payment of one Bitcoin, which is approximately £393 as of the time of this post. If you don’t pay, you don’t receive the decryption key, and that means your data is permanently locked. Not an ideal situation by any stretch of the imagination.

The GOZeuS control mechanism is through peer-to-peer networks. Each of the peers act as part of a network, distributing stolen information and updates. This model increases the resiliency of the GOZeuS infrastructure, making it difficult for law enforcement to take it down.

According to the NCA, action alongside the FBI has enabled the takedown of the GOZeus botnet, which effectively has overarching control. With this infrastructure disabled, end users have an opportunity to ensure they’re not infected and increase their protection. However, this window of opportunity will only last as long as it takes for the operators of the botnet to migrate their servers and start the operation all over again.

The steps to take as advised by Get Safe Online are:

1. Do not open email attachments unless you’re absolutely sure that they’re authentic.

2. Install security software ensuring it is always updated and switched on at all times.

3. Ensure your Windows operating system is up to date.

4. Ensure all software you have installed on your machine is up to date.

5. Back up all of your important files to somewhere other than your computer, so that if they do get encrypted, you have them stored safely elsewhere.

6. Do not store passwords on your computer. GOZeuS actively searches your computer for confidential information, including passwords and banking details.

Please read the advice from Get Safe Online. Their article contains more information and tips to secure your computer, including tools to check if you’ve been infected. If you haven’t already followed these steps then it is strongly recommended that you do it now, before it’s too late.