AfterDawn: Tech news

How to clean Gameover ZueS during two-week window

Written by James Delahunty @ 03 Jun 2014 8:23 User comments (10)

How to clean Gameover ZueS during two-week window The UK's National Crime Agency has said that there is a two week window of opportunity to clean as many Gameover ZeuS infections as possible, before cybercriminals may regain control of the botnet.
As we reported yesterday, a U.S./FBI-led international effort significantly disrupted the operation of the Gameover ZeuS botnet, which uses peer-to-peer communications and encryption to send commands from administrators around the network, and to send sensitive financial information from victims browsing activity back to the bot herders.

This malicious network may have already cost consumers and businesses over $100 million, and for those victims that have not used financial services while infected, the Crptolocker ransomware may have been installed in order to extort money by encrypting personal files until a fee is paid.

You can read about how the Feds and their international equivalents worked with private companies to disrupt the botnet here.



How to avoid infection & remove GOZeuS

Trojan.Zbot spread primarily through rogue e-mail attachments that when opened, download the malicious software and infect the computer, making it part of a wider botnet that is up to 1 million PCs strong. Avoiding infection simply requires vigilance when going through e-mail.

For those already infected, some regular anti-virus may not help you as more recent variations of it use a low-level driver component that can make detection difficult. Therefore, it is necessary to use more targeted removal tools along with regular A/V tools to clean up this mess.

We recommend using the Trojan.Zbot Removal Tool from Symantec (a.k.a Necrus Driver Removal Tool), which can remove the Necurs rootkit that Gameover ZueS uses to protect itself. The fix tool is available for both 32-bit and 64-bit Windows PCs. (Here's how to tell if your Windows is 32-bit or 64-bit)

Symantec Trojan.Zbot Removal Tool (32-bit): https://www.afterdawn.com/software/security/misc_security_tools/trojan_zbot_removal_tool.cfm

Symantec Trojan.Zbot Removal Tool (64-bit): https://www.afterdawn.com/software/security/misc_security_tools/trojan_zbot_removal_tool_64-bit.cfm


NOTE: This tool does not bring back files encrypted by Cryptolocker.

Download the tool for the appropriate operating system type, then remember that you must run it with Administrator privileges (right click - Run as Administrator). Close everything else you are using. You should also disable System Restore temporarily if running Windows XP (Control Panel -> System -> System Restore Tab). The first thing you need to do is accept the license agreement, and then you'll get to the main UI of the removal tool.





Eventually the tool will prompt you to restart your computer, and it may do this multiple times depending on your circumstances. After a reboot, run the tool again to clean threat artifacts. When the tool is done, it will prompt you to check a logfile that it created and ask you if you wish to run Norton Power Eraser for additional clean-up.

Both are optional to you at this point, but you should definitely run some kind of anti-virus tool after this process for additional cleanup. The logfile created by the tool is titled "Fixtool.log", and it will look something like this.



NOTE: For those who would prefer to run from command-line, check this article at symantec.com.

Plenty of options for anti-virus tools to install and run after this process is complete are available from www.afterdawn.com/software/security/antivirus/, including plenty of free options.

There are also plenty of other removal tools that target this specific rootkit & malware if you don't think this worked out.


Sources and Recommended Reading:
Two-week opportunity for UK to reduce threat from powerful computer attack: www.nationalcrimeagency.gov.uk
Log picture & software source: www.symantec.com

Previous Next  

10 user comments

13.6.2014 11:34

I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.

I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.

23.6.2014 12:13

Originally posted by Jemborg:
I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.

I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.

Combofix might get it but combofix does a LOT more to the system than just target a single rootkit, so I wouldn't suggest running Combofix when there's more targeted tools.

As for the ransomware, unfortunately Cryptolocker-encrypted contents can't be decrypted yet. Only way to get your stuff back is pay the ransom right now.

33.6.2014 13:27

not even a system restore to before that problem started?

43.6.2014 13:55

Originally posted by ddp:
not even a system restore to before that problem started?

Cryptolocker wouldnt be affected by system restore because it literally encrypts your personal files in the background, so a system restore cannot undo that.

Where System Restore can help is when people get scammed by a cold caller who enables encryption of the SAM hive in Windows. In that case, you can usually restore a SAM hive from a recent snapshot or even if the original hives are still on the drive after Windows' initial setup. But in that case its simply a Windows feature (SYSKEY) that has been activated and once it has been it shouldn't be reversible.. but of course if you can get recent registry hives before it was enabled than you should be able to fix it.

As for the rootkit itself, rootkits have evolved well beyond the point of beating system restore for quite some time so I'd be surprised if that worked. But system restore can't do anything about a bootkit for example, as system restore doesn't affect the MBR right?

53.6.2014 20:44

When I do Format my machine and didn't save any file for one reason or another. I use Test-Disk (cmd - Forensic tool).

I guess this tool can do the trick if the files are lost inside your machine, and you want a "quick" recovery by date.

P.S.
It work on SD-Cards, Smartphones, etc. deleted data too.

http://www.cgsecurity.org/wiki/TestDisk_Download

Tutorial:
http://www.youtube.com/watch?v=jhWbSM-630E

This message has been edited since its posting. Latest edit was made on 03 Jun 2014 @ 9:43

63.6.2014 21:10

i've used Easy Recovery Professional 6 a number of times to recover data for various reasons like missing password for an account before reloading windows.

73.6.2014 21:18

Originally posted by Dela:
Originally posted by Jemborg:
I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.

I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.

Combofix might get it but combofix does a LOT more to the system than just target a single rootkit, so I wouldn't suggest running Combofix when there's more targeted tools.

As for the ransomware, unfortunately Cryptolocker-encrypted contents can't be decrypted yet. Only way to get your stuff back is pay the ransom right now.
Fair enough. And I suppose too one only runs Combofix when they know they have a problem.

With Cryptolocker they ask for a money transfer (not CC or bank details) right?



-----------------------------------------------------------------------
This message has been edited since its posting. Latest edit was made on 03 Jun 2014 @ 9:20

83.6.2014 21:30

Originally posted by Jemborg:
Originally posted by Dela:
Originally posted by Jemborg:
I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.

I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.

Combofix might get it but combofix does a LOT more to the system than just target a single rootkit, so I wouldn't suggest running Combofix when there's more targeted tools.

As for the ransomware, unfortunately Cryptolocker-encrypted contents can't be decrypted yet. Only way to get your stuff back is pay the ransom right now.
Fair enough. And I suppose too one only runs Combofix when they know they have a problem.

With Cryptolocker they ask for a money transfer (not CC or bank details) right?



-----------------------------------------------------------------------

Ye typically one bitcoin, which at the moment is over $600 to acquire. Cryptolocker can be delivered to a PC on Gameover ZeuS botnet if that PC has failed to provide any other means of fraud. So basically, if your details / money aren't stolen directly, Cryptolocker can be used to extort money from you.

94.6.2014 03:12

Freaking parasites. Scum.

Useful info. I'll pass it on. Surprised it's not all over the news.

(Been hacked in the past... got our money back. Glad we do all our banking and financial transactions on Puppy now. Deliberately use a CC card with the lowest credit amount too. (I realise it's not protection from exortionware.))



-----------------------------------------------------------------------

This message has been edited since its posting. Latest edit was made on 04 Jun 2014 @ 3:14

1018.6.2014 01:23

Better late than never. :)

I ran this program from my desktop and a txt file immediately appeared there (also) titled FixNecurs64bit. I could not find a file on my drive labelled Fixtool.log anywhere.

I assume that is the logfile referred to above.

The txt file was utterly blank. Neither confirming or denying any infection. Which I suppose was a good thing.

I don't mean to be a pedant but could someone confirm that I've made the correct assumptions here and that things are ok?

Cheers in advance, much obliged.



-----------------------------------------------------------------------

This message has been edited since its posting. Latest edit was made on 18 Jun 2014 @ 1:25

Comments have been disabled for this article.

News archive