This is a slight departure from my normal subjects but its something I’ve been meaning to write about for a while. I work for a non-profit IT organisation called TechStart, providing IT services to the local community. One of the services we provide is computer repair. It seems that, in the past couple of months, there has been an increasing number of heavily infected machines coming in for repair. All of these machines are running antivirus software of one kind or another (Symantec, MacAfee, Avast etc) but still these infections are getting through. Some are downloaded via other applications, usually so-called ‘optimisation’ software, offering file and registry optimisation but at a cost and these, in turn, download and install further virii and/or adware. The end result is an OS that gradually becomes more and more erratic and slow until it is all but unusable, sometimes to the point of constant BSOD (Blue Screen Of Death). Many of the people affected can’t always afford to pay much for the removal of these infections, meaning they are left with an unusable machine and no way to clear it. It can take from several hours to several days to clear a machine properly while maintaining the integrity of the customer’s data and can end up being expensive if charged by the hour or day (we charge a single flat fee (+ parts cost) for all repairs, no matter how long they take). If the user is particularly unlucky, they can end up choosing a repair service who are so lazy that they simply reformat the hard drive, replace the OS and claim the users data was ‘unrecoverable’, (and yes, these do exist, much to my disgust).
A prime exampleof the above, the following is a list of infections that were found on one single Win7 machine that came in for repair. The machine was running AV software but was almost impossible to use.
Win32/Obvod.H (trojan downloader)
Win32/Filcout.A (trojan downloader)
Win32/Wysotot.B (trojan downloader)
Win32/Rotbrow.A (TrojanDropper)
Win32/Rotbrow.D (TrojanDropper)
Win32/Rotbrow.E (TrojanDropper)
Win32/Rotbrow.L (TrojanDropper)
Win32/Rotbrow.M (TrojanDropper)
Win32/Kelihos.B (backdoor trojan)
Win32/Sirefef.AB (Trojan)
Win32/Tugspay.A (trojan downloader)
Win64/Sirefef.AH (Trojan)
Win32/Sirefef!cfg (Trojan)
Win64/Sirefef.U (Trojan)
Win64/Sirefef.P (Trojan)
Win32/Brantall (trojan downloader)
Win32/Squarenet (Software bundler)
Win32/Woldec.C
Win32/EoRezo (Adware)
Win32/Unruy.H (AdClick Trojan)
Win32/Costmin (Software bundler)
Win32/InvisibleBrowser (Adware)
MSIL/CVE-2013-0074.A (Exploit in Silverlight)
Clearing this machine took the best part of two days. It involved a basic scan using WDO (Windows Defender Offline, a bootable variant of Microsoft Security Essentials) to bypass the OS and remove the more obvious infections which then enabled me to boot the OS into Safe Mode and remove the vector applications, (the applications that contain and spread the infections), to reduce the possibility of further reoccurences of infection. Once these were removed, a further intensive scan, (taking in excess of 8 hours), found and removed the remainder of the infections. This then enabled me to boot the OS, again into Safe Mode, and run an MBAM scan to remove further installed malware, (this machine had in excess of 4000 items of malware and PUP’s (Potentially Unwanted Programs, which are usually safe to remove)), followed by several further MBAM scans, in normal mode, each one revealing further malware, like layers of an onion, until the machine ‘ran green‘, meaning, no futher malware could be detected. These MBAM scans took several hours each. The last stage was to run CCleaner to clear the internet cache’s for each browser and the temp directories, clean up the registry then check the auto-run’s to remove any missed startups, BHO’s and scheduled malware applications.
Unfortunately,variations of this process are required on nearly every machine that we have in for repair, even the ones that are in for hardware repair (we go through the process as standard now). Depending on the level of infection, (if any), it can take from several hours to several days to get a machine running green. To make matters worse, certain infections necessitate removing the hard drive and connecting it, via external USB adapter, to another machine to perform the AV scan as some types of malware seem to affect the partition table or boot record, (there is one that messes with the MFT (Master File Table) and so effectively corrupts the disk as far as booting is concerned and makes it appear that the data has been lost. Fortunately I have only come across this one once and I have tools that enable me to recover the user data).
The main thing that bugs me (pun not intended), is that all it takes to help prevent infections like the one above, is some simple precautions that can be explained when the machine is purchased. This is almost never done. I really don’t know why but I suspect that sales people are too busy selling to take customers through the list of simple precautions. The trouble is, the list of ‘simple precautions’ gets longer all the time and can get confusing, especially to less experienced or older users. I’ve tried to create a simple list but it is quite long but, hopefully, easily understood and may help reduce the amount of times I have to run through the above process.
EMAIL:
- – If an email looks too good to be true, it nearly always is.
- – Your email address is precious. Before you give it out, think about who you are giving it to.
- – Don’t open attachments sent with unsolicited emails. Even if you know who the email is from, exercise a modicum of caution and save and scan the attachment with AV software before opening it.
- – If an attachment has a .pdf.exe or .zip.exe extension then it is almost certainly malware.
- – Do not follow links in unsolicited emails, especially if they appear to be from your bank.
- – If you get an email purporting to be from your bank, don’t follow embedded links, use your normal method of accessing your account. This way you won’t accidentally give away your details.
- – Never, ever respond to Spam emails. This confirms to the spammer that the email account is active, and so you will suddenly be inundated with spam and potentially malware and/or adware.
- – Turn off preview in your email client. Many emails contain viral code that can be executed simply by viewing the email in a preview. It can also be used to send a confirmation back to the spammer that the account is active.
- – Be careful where you use your email online. Web-bots can be used to ‘harvest’ email addresses from public info and forums.
- – Keep a second email account. This can be used to register at sites from which you don’t want to receive further info or spam. It can also be used to recover password/username information in the event that your primary email account is compromised.
WEB BROWSING:
- – When going to a website from an email, type the website address into the browser rather than clicking the link, (unless the email is from a known, trusted source), as links can be falsified. (What you see is not what you get).
- – Ensure that privacy settings on your browser are on. This helps prevent too much info being passed to the website.
- – Ensure your pop-up blocker is on. Some websites drop malware onto your machine using a “background pop-up”.
- – Empty your webcache on a regular basis. Applications such as CCleaner are handy for this.
- – When browsing a site that claims to be secure, check that the web address starts with “HTTPS://”. There should also be a padlock symbol on the browser’s toolbar at the bottom or to the left of the address bar (if using Firefox or Chrome). If there isn’t then there is a good chance that it is a ‘phishing’ site, designed to harvest your details.
- – Try to avoid “Download Managers”. These frequently include malware in the downloads and some don’t even download the file you want, giving excuses such as “payment required”, “file unavailable”, “not enough disk space”, all the while downloading malware to your machine.
- – Avoid using banking or other private websites over public access wifi. Its too easy for an attacker to acquire your information, (known as a “Man-In-The-Middle” attack), as there is rarely any encryption or other security.
- – If using public machines do not allow the browser to store your passwords.
Passing The Speed Of Light.... 