"business as usual"
Like another commenter mentioned below - it's business as usual, or rather a nice two week bit of respite, isn't it?
Many people are panicking about what's going to happen in two weeks, thanks to these reports.
Am I missing something? All we've done is pull out the network lead as we might do during a cleanup anyway, right?
Of course it's not a bad idea to run a zbotkiller or malwarebytes periodically anyway, but the message here seems to be way wrong and out of context to me.
Here is what I sent to a customer who asked if they needed to take any urgent drastic action.
Am I off the mark? See below:
Nothing is any different to how it has been for the last couple of years.
Zeus/zbot and cryptolocker have been on/off people's computers for years and sometimes I am removing it from two different customers in the same week. In the last couple of months, having got increasingly fed up with it, I have set policies of blocking all .zip and executable attachments on email servers since this is the most common source of infection (.zip attachments on fake emails from amazon/tax/payroll/sage/sky/fed-ex/ups/etc.).
Usually it becomes apparent that a computer is infected because it tends to get straight on with the CryptoLocker part of things, files become inaccessible, and a ransom is demanded. I then have to restore data from a backup. This is the thing that Fiona got onto her computer a few months ago.
All I would say is that I have noticed the occasional attempt to distribute it through a dropbox link, so you could tell the staff not to open any "You have been sent a file through dropbox" email links, without first confirming legitimacy, since I can't block that. The other way is popups that tell you you have to update your Adobe Flash or similar. They're often on dodgy websites, but also sometimes legitimate websites get hacked and have these popups injected. This is nothing to do with the two week window thing though and is just general advice. I have wondered about some kind of safe-computing training to show people what these popups and other dodgy things look like when they come in, but for now the above advice basically covers the current trends.
From a banking point of view, some were particularly susceptible in the past (HSBC & First Direct.. you sign in once with your code, then you can freely add new payees and transfer out money to them, without having to enter any new codes from the security device/dongle). HSBC & FD have changed their systems now, and do require re-entering a code from the keypad/card every time a new payee is added or amended. Obviously this would only matter if you were infected, but it has been a source of stolen bank funds in the past (screen gets blanked after you log into the bank.. money gets transferred out in the background), but it's a bit of extra peace of mind anyway.
All that has changed is this they have disconnected the controlling systems (command & control servers), and they expect that it'll get going again in two weeks. I'm not sure why they would use the words "two weeks to prepare for massive attack", as all they mean is it's been switched off, and it'll probably get going again in two weeks. Unless I'm missing something... I don't think am though. The command/control servers being disconnected doesn't make it any easier to detect or remove from a computer. It just means it can't be commanded to do harm."