|
|
|
How to clean Gameover ZueS during two-week window
|
|
The following comments relate to this news article:
article published on 3 June, 2014
The UK's National Crime Agency has said that there is a two week window of opportunity to clean as many Gameover ZeuS infections as possible, before cybercriminals may regain control of the botnet.
As we reported yesterday, a U.S./FBI-led international effort significantly disrupted the operation of the Gameover ZeuS botnet, which uses peer-to-peer communications and encryption to send ... [ read the full article ]
Please read the original article before posting your comments.
|
Senior Member
|
3. June 2014 @ 11:34 |
Link to this message
|
|
I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.
I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.
Its a lot easier being righteous than right.
DSE VZ300-
Zilog Z80 CPU, 32KB RAM (16K+16K cartridge), video processor 6847, 2KB video RAM, 16 colours (text mode), 5.25" FDD
|
|
Advertisement
|
|
|
|
Staff Member
|
3. June 2014 @ 12:13 |
Link to this message
|
Originally posted by Jemborg:
I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.
I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.
Combofix might get it but combofix does a LOT more to the system than just target a single rootkit, so I wouldn't suggest running Combofix when there's more targeted tools.
As for the ransomware, unfortunately Cryptolocker-encrypted contents can't be decrypted yet. Only way to get your stuff back is pay the ransom right now.
|
|
ddp
Moderator
|
3. June 2014 @ 13:27 |
Link to this message
|
|
not even a system restore to before that problem started?
|
Staff Member
|
3. June 2014 @ 13:55 |
Link to this message
|
Originally posted by ddp:
not even a system restore to before that problem started?
Cryptolocker wouldnt be affected by system restore because it literally encrypts your personal files in the background, so a system restore cannot undo that.
Where System Restore can help is when people get scammed by a cold caller who enables encryption of the SAM hive in Windows. In that case, you can usually restore a SAM hive from a recent snapshot or even if the original hives are still on the drive after Windows' initial setup. But in that case its simply a Windows feature (SYSKEY) that has been activated and once it has been it shouldn't be reversible.. but of course if you can get recent registry hives before it was enabled than you should be able to fix it.
As for the rootkit itself, rootkits have evolved well beyond the point of beating system restore for quite some time so I'd be surprised if that worked. But system restore can't do anything about a bootkit for example, as system restore doesn't affect the MBR right?
|
Senior Member
|
3. June 2014 @ 20:44 |
Link to this message
|
Live Free or Die.
The rule above all the rules is: Survive !
Capitalism: Funnel most of the $$$ to the already rich.
This message has been edited since posting. Last time this message was edited on 3. June 2014 @ 21:43
|
|
ddp
Moderator
|
3. June 2014 @ 21:10 |
Link to this message
|
|
i've used Easy Recovery Professional 6 a number of times to recover data for various reasons like missing password for an account before reloading windows.
|
Senior Member
|
3. June 2014 @ 21:18 |
Link to this message
|
Originally posted by Dela:
Originally posted by Jemborg:
I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.
I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.
Combofix might get it but combofix does a LOT more to the system than just target a single rootkit, so I wouldn't suggest running Combofix when there's more targeted tools.
As for the ransomware, unfortunately Cryptolocker-encrypted contents can't be decrypted yet. Only way to get your stuff back is pay the ransom right now.
Fair enough. And I suppose too one only runs Combofix when they know they have a problem.
With Cryptolocker they ask for a money transfer (not CC or bank details) right?
-----------------------------------------------------------------------
Its a lot easier being righteous than right.
DSE VZ300-
Zilog Z80 CPU, 32KB RAM (16K+16K cartridge), video processor 6847, 2KB video RAM, 16 colours (text mode), 5.25" FDD
This message has been edited since posting. Last time this message was edited on 3. June 2014 @ 21:20
|
Staff Member
|
3. June 2014 @ 21:30 |
Link to this message
|
Originally posted by Jemborg:
Originally posted by Dela:
Originally posted by Jemborg:
I would have thought that the latest combofix from bleepingcomputer.com would probably get it too.
I've also seen it rescue files that have been locked up by some sort of ransom-ware, which seemed miraculous at the time. I can't say that would apply to Cryptolocker necessarily.
Combofix might get it but combofix does a LOT more to the system than just target a single rootkit, so I wouldn't suggest running Combofix when there's more targeted tools.
As for the ransomware, unfortunately Cryptolocker-encrypted contents can't be decrypted yet. Only way to get your stuff back is pay the ransom right now.
Fair enough. And I suppose too one only runs Combofix when they know they have a problem.
With Cryptolocker they ask for a money transfer (not CC or bank details) right?
-----------------------------------------------------------------------
Ye typically one bitcoin, which at the moment is over $600 to acquire. Cryptolocker can be delivered to a PC on Gameover ZeuS botnet if that PC has failed to provide any other means of fraud. So basically, if your details / money aren't stolen directly, Cryptolocker can be used to extort money from you.
|
Senior Member
|
4. June 2014 @ 03:12 |
Link to this message
|
|
Freaking parasites. Scum.
Useful info. I'll pass it on. Surprised it's not all over the news.
(Been hacked in the past... got our money back. Glad we do all our banking and financial transactions on Puppy now. Deliberately use a CC card with the lowest credit amount too. (I realise it's not protection from exortionware.))
-----------------------------------------------------------------------
Its a lot easier being righteous than right.
DSE VZ300-
Zilog Z80 CPU, 32KB RAM (16K+16K cartridge), video processor 6847, 2KB video RAM, 16 colours (text mode), 5.25" FDD
This message has been edited since posting. Last time this message was edited on 4. June 2014 @ 03:14
|
|
Advertisement
|
|
|
Senior Member
|
18. June 2014 @ 01:23 |
Link to this message
|
|
Better late than never. :)
I ran this program from my desktop and a txt file immediately appeared there (also) titled FixNecurs64bit. I could not find a file on my drive labelled Fixtool.log anywhere.
I assume that is the logfile referred to above.
The txt file was utterly blank. Neither confirming or denying any infection. Which I suppose was a good thing.
I don't mean to be a pedant but could someone confirm that I've made the correct assumptions here and that things are ok?
Cheers in advance, much obliged.
-----------------------------------------------------------------------
Its a lot easier being righteous than right.
DSE VZ300-
Zilog Z80 CPU, 32KB RAM (16K+16K cartridge), video processor 6847, 2KB video RAM, 16 colours (text mode), 5.25" FDD
This message has been edited since posting. Last time this message was edited on 18. June 2014 @ 01:25
|
|
