Monday, June 15, 2009


Malware Bites - and I Bite Back

A Computer Security Primer

The other day I read that some important updates were coming from Microsoft. It was Patch Tuesday, the day on which Microsoft releases their biweekly updates. I clicked on Start, then Microsoft Update and sat back to let Microsoft do its thing to keep my computer safe.

But it didn’t. Instead of going to Microsoft’s Update web page, Internet Explorer went to Google. I tried again. Same result. I tried typing into IE’s address bar. Page not found. Augh!

Don’t panic, I told myself. I started digging. I found that my computer’s DNS server addresses had been changed. Instead of using the OpenDNS servers I’d dictated in my router, the addresses pointed to some mysterious DNS servers in eastern Europe.

Uh oh. These DNS servers were “poisoned.” Most of the time when I entered the address of a web site, these servers correctly translated this to the IP address of the proper server, and I was able to access the web site with no problem. But when I attempted to go to a security-related web site, such as Microsoft Update, or that of my antivirus program, the DNS servers misdirected me to a different server so I couldn't get current security updates.

I’d been attacked by a Trojan, a piece of malware which allowed bad people halfway around the world to take control of my computer and steal information off of it.

And this was my main computer, the one I used for my online banking transactions. Time to panic! I immediately disconnected this computer from the Internet, called my banks, and – using a different computer which I verified had not been infected – changed all my banking passwords.

Since then I have spent many hours downloading various anti-malware programs and scanning that computer and my other computers, getting rid of the vicious DNSChanger Trojan as well as several other nasty bits of malware that had infested that machine, and ensuring the other computers were still clean.

I found several seriously bad actors, including another Trojan which could log my keystrokes (and thus steal passwords) or copy files to and from my computer. Horrors! An open door for criminals to steal my stuff – and my money. And there were some other nasty programs – scary-sounding stuff like rootkits and backdoors as well as more benign items like tracking cookies.

During my travels I came across a number of useful web sites which had information about finding and eliminating malware as well as software to prevent infections. I’ll list the best of these as well as the software tools I used.

Finding and Eliminating Trojan.DNSChanger

Windows Update Goes to Google Instead – This is the first page I found which described my problem, and pointed me to this page:

Bleeping Computer: Infected - no internet connection – This page has detailed instructions for tracking down and neutralizing the DNSChanger Trojan using Malwarebytes’ Anti-Malware (MBAM) program.

See also my Online Scanners section below.

Information Sites

Bleeping Computer – This site has extensive information about malware, what it is, how to avoid it, and how to get rid of it. It also has a very active forum with volunteers who can help you fix problems with your own computer.

Caution! Don’t ever download or install an anti-spyware product unless you know it’s for real! The following page will help you stay safe.

Spyware Warrior's List of Trustworthy Anti-spyware – Fake anti-spyware is everywhere, particularly in Google ads. This page has a list of known good anti-spyware as well as a list of known fraudulent products which will actually install spyware on your system instead of protecting you from it. The site has many other pages with tons of useful information.

Note that this site is not being updated any more but it does have an active forum.

How do I handle possible identity theft, internet fraud, and credit card fraud? – This page tells you what you should do if you think your computer – and your personal data – has been compromised.

When should I format, how should I reinstall? – This page explains how to decide whether you need to wipe your hard drive clean and reinstall Windows, and how to go about it.

ZDnet – This site has a number of security-related newsletters you can subscribe to. Click on the tiny little Newsletters link near the top of the page. I am currently getting Tech Update Today, ZDNet Announcements, and ZDNet Must-Read News Alerts.


What’s the best anti-virus program? The best Internet security suite? The best anti-spyware program? What software can get rid of the worst infections? Here are some useful links.

Caution! Do not download any security software unless you are sure you are getting it from a legitimate site. Google’s ads are particularly notorious for pushing fake security software. I never go to any link for software in the “sponsored links” section of Google search results pages.

My Current Favorites

PC World Antivirus and Security – This site conducts regular reviews of security software for Windows and publishes a list of recommended products.

G Data – This company’s Internet Security 2010 got the highest rating in PC World’s May ‘09 review of security suites. It uses both the Avast! And BitDefender antivirus engines, so it should catch more threats than either of them alone.

SUPERAntiSpyware – In the past I’ve used Ad Aware, Spybot Search and Destroy, and Spyware Doctor, but now I’m using the Pro version of SUPERAntiSpyware because it found quite a few threats that Ad Aware and Spybot missed on my infected computer, and it’s also reputed to be able to find and eliminate the DNSChanger Trojan. The Pro version has real-time protection.

Malwarebytes – This company publishes several security products, notably Anti-Malware (aka MBAM), which can track down and neutralize a number of threats that most other products can’t eliminate. The full version ($24.95) also provides real-time protection.

Noscript for Firefox – This combination provides much safer web browsing than either Internet Explorer or Firefox alone. Download and install Firefox first, then install the Noscript add-on.

Thunderbird - Strictly speaking, this isn't security software. But so many people use Microsoft's very insecure email programs (Outlook, Outlook Express, Exchange). These programs provide malware authors with a virtual freeway into your home. Thunderbird is much safer.

Other Good Security Software

I’m far from a security expert but I do have experience with a number of other security products. I’ll give you my impressions here. The following three products are ones that I’d recommend.

Avast! – I was using this company’s highly rated free anti-virus program on all my computers – until one of them got infected by the DNSChanger and Agent Trojans.

AVG – The most popular free antivirus program. The free version does not, however, scan downloads; you need the full version for that.

Ad-Aware – A solid free anti-spyware program which appears to be compatible with SUPERAntiSpyware (you can have both running at the same time). The full version has additional features.


I’ve used the following products but was less than totally happy with them.

Spybot Search & Destroy – This seems to have significant overhead and when I did a scan with it on my recently infected computer, it found nothing that hadn’t already been cleaned by Ad-Aware.

Spyware Doctor – I found this to be annoying and intrusive, with high overhead and a cumbersome interface.

BitDefender – A highly rated antivirus program. I purchased it and used it for almost two years but switched to Avast! after running into trouble several times with BitDefender, particularly its update mechanism. It also seemed to have fairly high overhead when running on my system.

Kaspersky – I purchased this and used it for a year but switched to BitDefender because Kaspersky really slowed down my system, and BitDefender was supposed to have less overhead.

McAffee – This came free on a laptop. I wasn’t very happy with it; it seemed cumbersome to use and the company had an extremely annoying automatic renewal system which dinged my credit card without warning. I switched to Kaspersky.

Norton – This came free on several laptops. I’ve had endless trouble with it; it seems to sink its fingers far too deeply into the operating system, messing up stuff and generally causing mischief. Upgrades failed; removals didn’t remove everything. The company has a very annoying automatic renewal system similar to McAffee’s; this alone is a good reason to avoid it.

Online Scanners

Some malware will prevent you from downloading and installing security software, or will interfere with it when you try to run a scan. Malwarebytes Anti-Malware can find and neutralize many of these. But to make sure you’ve found and cleaned everything you possibly can, I suggest you also use one or more online scanners. These can take a while, but are worth the trouble if your machine has been infected and you want to have a fairly high level of confidence that you’ve eliminated the threats. (Of course, the safest solution is to reformat and reinstall Windows.)

Here are two I use:

TrendMicro Housecall


There are others. Avast! recommends these:


ESCAN: - Set the options as shown in this ->Screenshot<-

No comments: