Computer Crashes & Viral Vaccinations

This is a slight departure from my normal subjects but its something I’ve been meaning to write about for a while. I work for a non-profit IT organisation called TechStart, providing IT services to the local community. One of the services we provide is computer repair. It seems that, in the past couple of months, there has been an increasing number of heavily infected machines coming in for repair. All of these machines are running antivirus software of one kind or another (Symantec, MacAfee, Avast etc) but still these infections are getting through. Some are downloaded via other applications, usually so-called ‘optimisation’ software, offering file and registry optimisation but at a cost and these, in turn, download and install further virii and/or adware. The end result is an OS that gradually becomes more and more erratic and slow until it is all but unusable, sometimes to the point of constant BSOD (Blue Screen Of Death). Many of the people affected can’t always afford to pay much for the removal of these infections, meaning they are left with an unusable machine and no way to clear it. It can take from several hours to several days to clear a machine properly while maintaining the integrity of the customer’s data and can end up being expensive if charged by the hour or day (we charge a single flat fee (+ parts cost) for all repairs, no matter how long they take). If the user is particularly unlucky, they can end up choosing a repair service who are so lazy that they simply reformat the hard drive, replace the OS and claim the users data was ‘unrecoverable’, (and yes, these do exist, much to my disgust).

A prime exampleof the above, the following is a list of infections that were found on one single Win7 machine that came in for repair. The machine was running AV software but was almost impossible to use.

Win32/Obvod.H (trojan downloader)
Win32/Filcout.A (trojan downloader)
Win32/Wysotot.B (trojan downloader)
Win32/Rotbrow.A (TrojanDropper)
Win32/Rotbrow.D (TrojanDropper)
Win32/Rotbrow.E (TrojanDropper)
Win32/Rotbrow.L (TrojanDropper)
Win32/Rotbrow.M (TrojanDropper)
Win32/Kelihos.B (backdoor trojan)
Win32/Sirefef.AB (Trojan)
Win32/Tugspay.A (trojan downloader)
Win64/Sirefef.AH (Trojan)
Win32/Sirefef!cfg (Trojan)
Win64/Sirefef.U (Trojan)
Win64/Sirefef.P (Trojan)
Win32/Brantall (trojan downloader)
Win32/Squarenet (Software bundler)
Win32/Woldec.C
Win32/EoRezo (Adware)
Win32/Unruy.H (AdClick Trojan)
Win32/Costmin (Software bundler)
Win32/InvisibleBrowser (Adware)
MSIL/CVE-2013-0074.A (Exploit in Silverlight)

Clearing this machine took the best part of two days. It involved a basic scan using WDO (Windows Defender Offline, a bootable variant of Microsoft Security Essentials) to bypass the OS and remove the more obvious infections which then enabled me to boot the OS into Safe Mode and remove the vector applications, (the applications that contain and spread the infections), to reduce the possibility of further reoccurences of infection. Once these were removed, a further intensive scan, (taking in excess of 8 hours), found and removed the remainder of the infections. This then enabled me to boot the OS, again into Safe Mode, and run an MBAM scan to remove further installed malware, (this machine had in excess of 4000 items of malware and PUP’s (Potentially Unwanted Programs, which are usually safe to remove)), followed by several further MBAM scans, in normal mode, each one revealing further malware, like layers of an onion, until the machine ‘ran green‘, meaning, no futher malware could be detected. These MBAM scans took several hours each. The last stage was to run CCleaner to clear the internet cache’s for each browser and the temp directories, clean up the registry then check the auto-run’s to remove any missed startups, BHO’s and scheduled malware applications.

Unfortunately,variations of this process are required on nearly every machine that we have in for repair, even the ones that are in for hardware repair (we go through the process as standard now). Depending on the level of infection, (if any), it can take from several hours to several days to get a machine running green. To make matters worse, certain infections necessitate removing the hard drive and connecting it, via external USB adapter, to another machine to perform the AV scan as some types of malware seem to affect the partition table or boot record, (there is one that messes with the MFT (Master File Table) and so effectively corrupts the disk as far as booting is concerned and makes it appear that the data has been lost. Fortunately I have only come across this one once and I have tools that enable me to recover the user data).

The main thing that bugs me (pun not intended), is that all it takes to help prevent infections like the one above,  is some simple precautions that can be explained when the machine is purchased. This is almost never done. I really don’t know why but I suspect that sales people are too busy selling to take customers through the list of simple precautions.  The trouble is, the list of ‘simple precautions’ gets longer all the time and can get confusing, especially to less experienced or older users. I’ve tried to create a simple list but it is quite long but, hopefully, easily understood and may help reduce the amount of times I have to run through the above process.

 

EMAIL:

  •  – If an email looks too good to be true, it nearly always is.
  •   – Your email address is precious. Before you give it out, think about who you are giving it to.
  •   – Don’t open attachments sent with unsolicited emails. Even if you know who the email is from, exercise a modicum of caution and save and scan the attachment with AV software before opening it.
  •  –  If an attachment has a .pdf.exe or .zip.exe extension then it is almost certainly malware.
  •  – Do not follow links in unsolicited emails, especially if they appear to be from your bank.
  •  – If you get an email purporting to be from your bank, don’t follow embedded links, use your normal method of accessing your account. This way you won’t accidentally give away your details.
  •  – Never, ever respond to Spam emails. This confirms to the spammer that the email account is active, and so you will suddenly be inundated with spam and potentially malware and/or adware.
  •  – Turn off preview in your email client. Many emails contain viral code that can be executed simply by viewing the email in a preview. It can also be used to send a confirmation back to the spammer that the account is active.
  •  – Be careful where you use your email online. Web-bots can be used to ‘harvest’ email addresses from public info and forums.
  •  – Keep a second email account. This can be used to register at sites from which you don’t want to receive further info or spam. It can also be used to recover password/username information in the event that your primary email account is compromised.

 

WEB BROWSING:

  • – When going to a website from an email, type the website address into the browser rather than clicking the link, (unless the email is from a known, trusted source), as links can be falsified. (What you see is not what you get).
  • – Ensure that privacy settings on your browser are on. This helps prevent too much info being passed to the website.
  • – Ensure your pop-up blocker is on. Some websites drop malware onto your machine using a “background pop-up”.
  • – Empty your webcache on a regular basis. Applications such as CCleaner are handy for this.
  • – When browsing a site that claims to be secure, check that the web address starts with “HTTPS://”. There should also be a padlock symbol on the browser’s toolbar at the bottom or to the left of the address bar (if using Firefox or Chrome). If there isn’t then there is a good chance that it is a ‘phishing’ site, designed to harvest your details.
  • – Try to avoid “Download Managers”. These frequently include malware in the downloads and some don’t even download the file you want, giving excuses such as “payment required”, “file unavailable”, “not enough disk space”, all the while downloading malware to your machine.
  • – Avoid using banking or other private websites over public access wifi. Its too easy for an attacker to acquire your information, (known as a “Man-In-The-Middle” attack), as there is rarely any encryption or other security.
  • – If using public machines do not allow the browser to store your passwords.
 I hope these precautions are helpful. As usual, I welcome any comments.
Advertisements

Unleashed, but Barely Alive and Breathing

There’s an old saying in the tech world: “To err is human, but to really foul things up you need a computer“. Having spent some time reading various articles on the DWP’s Universal Credit system, and having been one of the techies waiting to start work on it, (now not working on it at all due to changes made by the DWP), I sincerely believe that the saying should be modified to read: “To err is human, but to really foul things up you need a government“.

The whole idea of Universal Credit was an admirable one. Collating and simplifying payments to benefit claimants into one monthly payment, linking it into the HMRC system so that there was no need to sign on or sign off when leaving or starting a job, levels of benefit changing depending on the salary received, reducing fraud, all wonderful things promised by a sparkling new system to be in place by October 2013, shiny, new and tested and working.

This isn’t going to happen.

Instead we are given a multi-tentacled, money-sucking monster that, barely alive and breathing, threatens to destroy every benefit claimant that is caught in its foetid maw, and one which will not now be fully unleashed until 2017. Part of the problem has been the ruckus occurring at top management level, with two stepping down and moving on and one sadly passing away.

The rest of the problem lies with the system itself. It appears that there is actually only one job centre testing the system, (“Pathfinder”), in Ashton-Under-Lyme, while the two others, (Oldham and Warrington), are not due to start testing now until the end of August. Apparently they are only using single people, newly unemployed, to test the system, which is a bit like testing a car by driving it around a smooth track at five miles per hour and declaring it safe. What’s worse is that the HMRC real-time information (RTI), system which is supposed to supply the claimant data is still being developed so the Pathfinder rollout has had to be halted while the data is entered manually. According to an article in The Register:

“civil servants have had to do the sort of basic tasks that were originally intended to be done automatically, like data entry and the verification of basic information about a client such as date of birth, address or right to claim the dole – even though a small number of clients with relatively simple personal situations have been chosen to take part.”

Under no circumstances should this software have been allowed out into the real world in this condition. Entering data by hand on a live system, data that, if entered wrongly, could threaten people’s already precarious financial stability, is ridiculous. If the HMRC RTI system isn’t ready then don’t roll out UC until it is. Using such a simplistic approach and such basic data, probably in the hope that all would work well and the politicians could hold it up as a shining example of government IT, is idiotic in the extreme. I could understand if this approach was for comparison purposes, ensuring the data from the HRMC matched the claimant, but it isn’t.

You rarely see this level of idiocy in a business setting.  It’s yet another case of government touting something wonderful without knowing whether is can actually be delivered on time and within budget. Universal Credit will now be added to the ever-growing list of  huge government IT projects that have, along with the NHS & Child Support, ended up as bloated, over-budget embarrassments which could have been delivered properly had the government listened to the right people.

Sorry, rant over.