Monday, June 15, 2009

Hijacked!

Malware Bites - and I Bite Back


A Computer Security Primer

The other day I read that some important updates were coming from Microsoft. It was Patch Tuesday, the day on which Microsoft releases their biweekly updates. I clicked on Start, then Microsoft Update and sat back to let Microsoft do its thing to keep my computer safe.

But it didn’t. Instead of going to Microsoft’s Update web page, Internet Explorer went to Google. I tried again. Same result. I tried typing update.microsoft.com into IE’s address bar. Page not found. Augh!

Don’t panic, I told myself. I started digging. I found that my computer’s DNS server addresses had been changed. Instead of using the OpenDNS servers I’d dictated in my router, the addresses pointed to some mysterious DNS servers in eastern Europe.

Uh oh. These DNS servers were “poisoned.” Most of the time when I entered the address of a web site, these servers correctly translated this to the IP address of the proper server, and I was able to access the web site with no problem. But when I attempted to go to a security-related web site, such as Microsoft Update, or that of my antivirus program, the DNS servers misdirected me to a different server so I couldn't get current security updates.

I’d been attacked by a Trojan, a piece of malware which allowed bad people halfway around the world to take control of my computer and steal information off of it.

And this was my main computer, the one I used for my online banking transactions. Time to panic! I immediately disconnected this computer from the Internet, called my banks, and – using a different computer which I verified had not been infected – changed all my banking passwords.

Since then I have spent many hours downloading various anti-malware programs and scanning that computer and my other computers, getting rid of the vicious DNSChanger Trojan as well as several other nasty bits of malware that had infested that machine, and ensuring the other computers were still clean.

I found several seriously bad actors, including another Trojan which could log my keystrokes (and thus steal passwords) or copy files to and from my computer. Horrors! An open door for criminals to steal my stuff – and my money. And there were some other nasty programs – scary-sounding stuff like rootkits and backdoors as well as more benign items like tracking cookies.

During my travels I came across a number of useful web sites which had information about finding and eliminating malware as well as software to prevent infections. I’ll list the best of these as well as the software tools I used.

Finding and Eliminating Trojan.DNSChanger

Windows Update Goes to Google Instead – This is the first page I found which described my problem, and pointed me to this page:

Bleeping Computer: Infected - no internet connection – This page has detailed instructions for tracking down and neutralizing the DNSChanger Trojan using Malwarebytes’ Anti-Malware (MBAM) program.

See also my Online Scanners section below.

Information Sites

Bleeping Computer – This site has extensive information about malware, what it is, how to avoid it, and how to get rid of it. It also has a very active forum with volunteers who can help you fix problems with your own computer.

Caution! Don’t ever download or install an anti-spyware product unless you know it’s for real! The following page will help you stay safe.

Spyware Warrior's List of Trustworthy Anti-spyware – Fake anti-spyware is everywhere, particularly in Google ads. This page has a list of known good anti-spyware as well as a list of known fraudulent products which will actually install spyware on your system instead of protecting you from it. The site has many other pages with tons of useful information.

Note that this site is not being updated any more but it does have an active forum.

How do I handle possible identity theft, internet fraud, and credit card fraud? – This page tells you what you should do if you think your computer – and your personal data – has been compromised.

When should I format, how should I reinstall? – This page explains how to decide whether you need to wipe your hard drive clean and reinstall Windows, and how to go about it.

ZDnet – This site has a number of security-related newsletters you can subscribe to. Click on the tiny little Newsletters link near the top of the page. I am currently getting Tech Update Today, ZDNet Announcements, and ZDNet Must-Read News Alerts.

Software

What’s the best anti-virus program? The best Internet security suite? The best anti-spyware program? What software can get rid of the worst infections? Here are some useful links.

Caution! Do not download any security software unless you are sure you are getting it from a legitimate site. Google’s ads are particularly notorious for pushing fake security software. I never go to any link for software in the “sponsored links” section of Google search results pages.

My Current Favorites

PC World Antivirus and Security – This site conducts regular reviews of security software for Windows and publishes a list of recommended products.

G Data – This company’s Internet Security 2010 got the highest rating in PC World’s May ‘09 review of security suites. It uses both the Avast! And BitDefender antivirus engines, so it should catch more threats than either of them alone.

SUPERAntiSpyware – In the past I’ve used Ad Aware, Spybot Search and Destroy, and Spyware Doctor, but now I’m using the Pro version of SUPERAntiSpyware because it found quite a few threats that Ad Aware and Spybot missed on my infected computer, and it’s also reputed to be able to find and eliminate the DNSChanger Trojan. The Pro version has real-time protection.

Malwarebytes – This company publishes several security products, notably Anti-Malware (aka MBAM), which can track down and neutralize a number of threats that most other products can’t eliminate. The full version ($24.95) also provides real-time protection.

Noscript for Firefox – This combination provides much safer web browsing than either Internet Explorer or Firefox alone. Download and install Firefox first, then install the Noscript add-on.

Thunderbird - Strictly speaking, this isn't security software. But so many people use Microsoft's very insecure email programs (Outlook, Outlook Express, Exchange). These programs provide malware authors with a virtual freeway into your home. Thunderbird is much safer.

Other Good Security Software

I’m far from a security expert but I do have experience with a number of other security products. I’ll give you my impressions here. The following three products are ones that I’d recommend.

Avast! – I was using this company’s highly rated free anti-virus program on all my computers – until one of them got infected by the DNSChanger and Agent Trojans.

AVG – The most popular free antivirus program. The free version does not, however, scan downloads; you need the full version for that.

Ad-Aware – A solid free anti-spyware program which appears to be compatible with SUPERAntiSpyware (you can have both running at the same time). The full version has additional features.

Losers

I’ve used the following products but was less than totally happy with them.

Spybot Search & Destroy – This seems to have significant overhead and when I did a scan with it on my recently infected computer, it found nothing that hadn’t already been cleaned by Ad-Aware.

Spyware Doctor – I found this to be annoying and intrusive, with high overhead and a cumbersome interface.

BitDefender – A highly rated antivirus program. I purchased it and used it for almost two years but switched to Avast! after running into trouble several times with BitDefender, particularly its update mechanism. It also seemed to have fairly high overhead when running on my system.

Kaspersky – I purchased this and used it for a year but switched to BitDefender because Kaspersky really slowed down my system, and BitDefender was supposed to have less overhead.

McAffee – This came free on a laptop. I wasn’t very happy with it; it seemed cumbersome to use and the company had an extremely annoying automatic renewal system which dinged my credit card without warning. I switched to Kaspersky.

Norton – This came free on several laptops. I’ve had endless trouble with it; it seems to sink its fingers far too deeply into the operating system, messing up stuff and generally causing mischief. Upgrades failed; removals didn’t remove everything. The company has a very annoying automatic renewal system similar to McAffee’s; this alone is a good reason to avoid it.

Online Scanners

Some malware will prevent you from downloading and installing security software, or will interfere with it when you try to run a scan. Malwarebytes Anti-Malware can find and neutralize many of these. But to make sure you’ve found and cleaned everything you possibly can, I suggest you also use one or more online scanners. These can take a while, but are worth the trouble if your machine has been infected and you want to have a fairly high level of confidence that you’ve eliminated the threats. (Of course, the safest solution is to reformat and reinstall Windows.)

Here are two I use:

TrendMicro Housecall

BitDefender

There are others. Avast! recommends these:

http://www.avast.com/eng/avast_cleaner.html

http://vil.nai.com/vil/averttools.asp#stinger

http://securityresponse.symantec.com/avcenter/tools.list.html

CLRAV: ftp://ftp.kaspersky.com/utils/clrav/clrav.zip

ESCAN: http://www.mwti.net/antivirus/free_utilities.asp - Set the options as shown in this ->Screenshot<-

Safe Surfing Tips

Recently I visited my sister Juanita. She had purchased a popular antivirus program and installed it on her computer and our dad’s computer. It worked fine on Juanita’s computer but it caused serious problems on Dad’s. I uninstalled it and installed a free antivirus program called Avast! in its place.

Juanita was upset that she’d spent the money for the expensive program and now felt the money had been wasted. I suggested she try to get a refund and switch to the free antivirus program from Avast! on her computer as well. I also made a number of suggestions for safer use of a computer on the Internet. I've realized that other people might find these suggestions useful.

Excerpted from my email to Juanita:

Here are links to two popular antivirus programs:

Avast!
AVG

I mentioned that I have been reading newsletters related to computers and computer security. Go here:

ZDNet

Then click on the Newsletters link near the top of the page, just below the Search box. You will get a page where you can sign up for a number of newsletters. I am currently getting Tech Update Today, ZDNet Announcements, and ZDNet Must-Read News Alerts. These often contain security alerts and other security-related information.

However, don't panic. At first I found some of the postings rather scary, but after a while I realized that not every alert applies to me and my computers - and often the threat is not as dire as the articles make it sound. I've also helped a number of friends with their computers, and through this I've come across some fairly badly infected machines. Almost always, the infected machines have been running without a current antivirus program installed, and I also suspect that the owners are prone to surfing to dangerous sites.

Over time, I've evolved the following rules of thumb:

1. Always keep Windows updated. By default this happens automatically. Every other Tuesday (known as Patch Tuesday) Microsoft prepares a group of updates. Your computer should check for these updates and download them automatically. You can check on the status of these updates by clicking Start -> All Programs -> Windows Update (or Microsoft Update). You can also check to make sure the updates are set up to happen automatically (or at least ask you before it downloads and/or installs them).

2. Always keep your antivirus program updated. Avast does this automatically whenever you connect to the internet. I believe AVG does too. This is important because new viruses are constantly being released, and your antivirus program has to get new signatures and fixes from the web site of the company that wrote the antivirus program. An antivirus program that is out of date is ineffectual.

3. Do an antivirus scan periodically. Unlike antivirus progams you pay for, Avast Free edition doesn't do this automatically; you have to do it manually. It's a good idea to do this every week or two, especially if the computer is spending a lot of time online.

4. Make sure you have XP Service Pack 2 or 3 installed and make sure that Windows Firewall is turned on. This is especially important for machines that connect directly to the internet, without a NAT router, such as your dialup connection.

5. Consider installing antispyware. I use Ad-Aware Free (get it from http://www.lavasoft.com/ or download.cnet.com and nowhere else!) and Spybot (from http://www.safer-networking.org/ or download.cnet.com). These both require manual updates and Ad-Aware requires you to run it manually from time to time. Spybot, if I recall correctly, can be set up to run continuously in the background, but it has considerable overhead so this might not be optimal on older, slower machines. If necessary you can run manual scans instead.

Here are some safe practices tips:

1. Avoid potentially toxic sites. The ones I think are most dangerous are ones you and your kids probably won't be going to: porn sites and warez sites (illegally "cracked" software). Also, file sharing networks, especially Limewire, tend to contain a lot of viruses. Avoid those too (I'm sure you do). Update: I’ve also found sites purporting to list free proxy servers to be dangerous.

2. If you ever get a popup offering to update your Flash Player, don't accept it! Close the popup. Don't play a movie if you get such a message when you open it. Close the movie and, if you've downloaded it, delete it. Then go to Adobe and check to see what the latest version of Flash Player is. If your version of Flash is earlier than that, download and install the new version from the Adobe site.

Note: When I download a new version of the Flash Player installer or other software, I append the version number of the software to the program name and save the installer in a folder where I can find it later. You can also hover the mouse cursor over the installer and it should give you a popup which shows the version number. If in doubt, download and install the new version.

3. Be suspicious of any popups offering updates; right now Flash is the one being spoofed, but there could be others in the future.

4. Avoid Microsoft's internet browser, Internet Explorer, and their mail programs (Exchange, Outlook Express, and Outlook).The open source programs from Mozilla, namely Firefox for web browsing and Thunderbird for email, are much more secure. From what I've seen these two Microsoft programs are malware's biggest routes into Windows systems.

Update: Aggressive malware development has significantly reduced Firefox’s safety advantage. However, if you install the Noscript add-on into Firefox, and use it wisely, this combination becomes by far the most secure browser combination available.

5. Never click on a program or script which arrives in an email that looks in the least suspicious. Scan any files you're not sure of with your antivirus program.

6. Be suspicious of any emails that attempt to get any personal information from you, especially passwords but also name, address, DOB, SSN, etc. Banks and other reputable companies never send emails asking for info like this, but spammers often send emails telling you that you must "update your account" or some other nonsense and give you a link to a bogus site which will steal your password.

Get in the habit of looking at the URL for a web site before you click on it, especially in any email from a supposed bank or whatever. (This is usually displayed in the status bar at the bottom of your browser or email program if you hover the mouse cursor over the link.) Also look at the actual email address of the sender; often it will have a legitimate-sounding name (e.g. Citicorp Bank Information Services) but the actual address will be clearly someone else (something like azy324@netizone9.com). This is a dead giveway. Junk the email immediately.

7. Consider switching to gmail. You can set up gmail to retrieve email from your other addresses so it will all arrive in one place. You can also set up alternate identities so outgoing mail will have the same from address that the incoming mail was originally directed to. I have found that gmail seems to be very good at filtering out spam.

8. Never download anything, especially anti-spyware or antivirus software, from any site you're not sure of. Generally download.cnet.com, pcworld.com, and other major sites run safe servers and you can be fairly confident that things you download from them are free of malware. If in doubt, scan the downloaded file with your antivirus program (just right-click on the downloaded file and select "Scan ...") to be sure.

If you ever get into a situation where you think your computer has been infected with a virus, scan memory and your entire hard drive with your antivirus program or, better yet, with an online scanner. Several major antivirus providers have free scanners. http://antivirus.com (look for Housecall) and http://bitdefender.com are two that I use. You can also set up Avast to do a boot-time scan, which is more thorough and reliable than doing a scan from within Windows.

This takes a while but it's worth it to ensure your machine is clean.

If in doubt, check online forums or call someone you trust.