Last week, the Justice Department and FBI announced they had thrown a monkey wrench into the GameOver Zeus botnet. A multinational effort that involved Europol, government organizations, researchers, and many private companies (including, notably, Microsoft and several antimalware firms), the combined technical and legal action known as "Operation Tovar" effectively cut off the P2P command-and-control system (PDF) that kept GOZ running.
It isn't a full takedown -- by its very nature, the P2P command-and-control system could be resurected at some point -- but there's a window of opportunity to identify infected computers and clean them up now. How long that window will last, nobody knows.
Brian Krebs led with details on the "Operation Tovar" dismantling effort last week. According to Krebs:
Unlike ZeuS -- which was sold as a botnet creation kit to anyone who had a few thousand dollars in virtual currency to spend -- Gameover ZeuS has since October 2011 been controlled and maintained by a core group of hackers from Russia and Ukraine. Those individuals are believed to have used the botnet in high-dollar corporate account takeovers that frequently were punctuated by massive distributed-denial-of-service (DDoS) attacks intended to distract victims from immediately noticing the thefts. According to the Justice Department, Gameover has been implicated in the theft of more than $100 million in account takeovers.
[GameOver ZeuS] uses a tiered, decentralized system of intermediary proxies and strong encryption to hide the location of servers that the botnet masters use to control the crime machine.
GOZ has also been used to distribute CryptoLocker, yet another piece of highly profitable software designed to separate you from your hard-earned bitcoins.
DOJ estimates place the number of infected Windows computers at 500,000 to 1 million, with 25 percent of those computers in the United States.
There are many pieces of software that will scan your computer for evidence of BOZ infections, including an extensive list of scanners and removal programs compiled by CERT last week. But all of those programs, along with other scanners I've encountered, have to be downloaded and installed.
F-Secure posted a very clever scanning page that will tell you with some degree of reliability whether you're infected -- and you don't need to download or install anything. The F-Secure scanning page (detailed here) tricks GOZ-infected computers into inserting telltale code on a generated iframe dummy page. Very slick -- go to the F-Secure scanning page, and it'll tell you if you're infected.
The trick isn't foolproof. As F-Secure explains:
If you are using a browser which GameOver doesn't support (Lynx anyone?, or a native 64-bit browser), it may be that your computer is infected, but the browser has no traces of the malware.
Take a second and do it now.
This story, "Now's your chance to clean up your GameOver Zeus infection," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.