'Two weeks' to block cyber-attack

BBC

Quote:

People have "two weeks" to protect themselves from a "powerful computer attack", the UK's National Crime Agency (NCA) has warned.

Users are being told to take "immediate" action to protect their computers after US authorities seized a major criminal network.

The FBI, working with the NCA, has taken control of a botnet used to steal personal and financial data.

More than 15,000 machines in the UK are thought to have been infected to date.

Internet service providers (ISPs) will be contacting customers known to have been affected by either letter or email. The first notices were sent out on Monday, the BBC understands.

The action related to a strain of malware - meaning malicious software - known as Gameover Zeus. Its alternative names include GOZeus and P2PZeus.

[qasdfdsaq]

So the botnet is under control of the FBI, so we have two weeks to prepare for an attack? Are the FBI going to attack us?!

I'm confused.

[Qtx]

The authorities can take over C&C's but not that great at doing much beyond that. They could send updates to the zombies that made the infection inert but they would need to know the right keys and Zeus uses encryption which is different per zeus-customer.

Gameover variant of Zeus can update over peer-to-peer so it doesnt really need the domains and control centre box's. They need to take down the infection methods or the botnet will still grow. The Cutwail spam botnet and servers with Magnitude exploit kit's are still adding more zombies to the gameover botnet every day.

Malware writers are winning the technical game but they can't code around arrest warrants...

[qasdfdsaq]

Quote:

Originally Posted by Qtx

Malware writers are winning the technical game but they can't code around arrest warrants...

Sure they can, write the code to point the finger elsewhere so someone else gets arrested :P

[Ignitionnet]

What happens in two weeks?

Somebody gets attacked, I think, but Im not really very clear on who.

[Toto]

Quote:

Originally Posted by Ignitionnet

What happens in two weeks?

The two weeks is an estimate as to how long it will take the malware writers to regain control of their command and control systems and start re-infecting. Some are claiming it could be a few days not two weeks, they don't really know.

The current cut off is allowing authorities to understand the level of infection, and get ISP's to make contact with effected customers, hopefully giving those infected a chance to get their systems cleaned.

Two weeks as a conservative estimate is not enough time though, but at least the issue is getting media coverage.

Full NCA article here.

I also find it strange how there does not appear to be any direct links to anything that tells users how to detect and get rid of this. Not fully read the article but all I can see it is saying to look for Get Safe Online on facebook and google+

---------- Post added at 11:50 ---------- Previous post was at 11:48 ----------

anyway Get Safe Online link to these toolshttp://www.symantec.com/security_res...052915-1402-99

http://www.f-secure.com/en/web/home_...online-scanner

and a few others

[Ignitionnet]

Right I think I get the idea, they've probably done a takeover in a similar manner to how Torpig was taken over, except given it's law enforcement they seized the domains the botnet was chatting to rather than spotting a window in the malware where domains weren't registered.

I look forward to reading the reports. Usually there's the malware itself, the bot, and a downloader. When Torpig was taken over they managed to take over the botnet however the downloader was still under the control of the miscreants who pushed a new version of the malware with updated domains.

If they don't have control of both the botnet C+C and the downloader C+C this may be a rather short 2 weeks but that's probably where the 2 weeks comes from, the period before the botnet moves onto a different domain that the authorities don't have control over.

[qasdfdsaq]

So rather than two weeks to "block a powerful computer attack" what they really mean is things will be quiet for 2 weeks and then it'll be back to business as usual.

Rather exaggerated and sensationalist if you ask me...

[Toto]

Quote:

Originally Posted by qasdfdsaq

So rather than two weeks to "block a powerful computer attack" what they really mean is things will be quiet for 2 weeks and then it'll be back to business as usual.

Rather exaggerated and sensationalist if you ask me...

Agreed.

BBC rolled out Graham Clueless earlier today, I really don't know why they give that man airtime. Anyway, essentially the advice is that during this small window of opportunity all Windows users should patch their O/S and run an up-to-date anti virus scan.

McAfee's Stinger application has been engineered to detect these particular malware types, although folks who already have their important files encrypted by cryptolocker will only be able to remove the malware, not recover their files.

[Ignitionnet]

Quote:

Originally Posted by Toto

Agreed.

BBC rolled out Graham Clueless earlier today, I really don't know why they give that man airtime. Anyway, essentially the advice is that during this small window of opportunity all Windows users should patch their O/S and run an up-to-date anti virus scan.

Nice placebo there.

30 days after release AV detects ~60% of new malware and variants.

If you already have this you're hosed so patching is an exercise in futility not least because the infection vectors tend to be dodgy plugins rather than the OS itself.

I really do regret that malware course at times like these. It's made me so cynical.

[Anonymouse]

Ooh, things like this really get my goat! Once again, governments etc. are solving the wrong problem. Once again we have a story about hacking being reported, and once again, there is not one word about the real cause - namely people browsing the Internet with administrator accounts because the poor sods usually don't know any better!

I've never heard of a PC shop or store which takes the trouble to explain the difference between admin and user accounts, or why it's important. Yet browsing via a user account will stop all but the most sophisticated attacks in their tracks, because Windows itself simply won't let the scumware install in the first place.

Whenever I have someone asking me about a new PC, I always, always tell them to create one admin account and as many user accounts as they need, explaining why as simply as necessary. The best analogy is that it's the difference between having a ticket to a rock concert and having a backstage pass.

It's simple. DO NOT BROWSE USING AN ADMINISTRATOR ACCOUNT UNLESS YOU *KNOW* THE SITE IS SECURE AND/OR CLEAN. EVER.

If you need to install something you've downloaded, the safest way is to: download it via the user account; switch to the admin account; disable internet access unless the installation needs to be verified online or whatever; install the software; then log back onto your user account. As long as you keep firewall and antiviral software updated, your PC will be as secure as it can be without disconnecting it from the Internet altogether. Puting it behind a router is even better, as it adds hardware protection. Administrator accounts should be used only for installing software and making changes to system policies, not browsing.

And don't forget to secure your wireless networks, peeps!

Had Microsoft not elected to treat its users like know-nothing idiots and explained about admin and user accounts in the user manuals when the NT-based versions of Windows first came out, I suspect the global virus problem would be nowhere near as bad as it is. These damn botnets might never have had a chance to establish in the first place.

On the other hand, hindsight is of course as perfect as it is useless.

[qasdfdsaq]

Quote:

Originally Posted by Anonymouse

Whenever I have someone asking me about a new PC, I always, always tell them to create one admin account and as many user accounts as they need, explaining why as simply as necessary. The best analogy is that it's the difference between having a ticket to a rock concert and having a backstage pass.

It's simple. DO NOT BROWSE USING AN ADMINISTRATOR ACCOUNT UNLESS YOU *KNOW* THE SITE IS SECURE AND/OR CLEAN. EVER.

Totally superflous advice.

Loggin in under an "administrator account" does not mean any program you run is given administrator priveleges. All current versions of explicitly prompt the user to allow an application administrative access and unless the user actually allows it all applications ARE run as a non-administrative user account.

All that changing to a user account does is change the privilege escalation dialog to require a user type their password instead of clicking OK. It makes no sodding difference in the grand scheme of things. If a user erroneously clicks "Allow" when they shouldn't they're going to type their password and click "Allow" under the same circumstances.

Your analogy is also totally incorrect. The real equivalent is the difference between having a backstage pass and having a backstage pass. Only in the latter the doorman asks to check your ID against your pass when you go backstage instead of checking your ID at the door.

[Qtx]

Quote:

Originally Posted by heero_yuy

This vulnerability is spread as so many others by a malicious e-mail attach.

It uses email attachments from a spamming botnet but also uses drive by downloads using the Magnitude exploit kit. So you can get infected just by visiting a site too.

---------- Post added at 19:57 ---------- Previous post was at 19:56 ----------

Quote:

Originally Posted by Ignitionnet

30 days after release AV detects ~60% of new malware and variants.

<snip>

I really do regret that malware course at times like these. It's made me so cynical.

Yet people think you have a screw loose when you tell them AV is far from foolproof and easy to bypass....