How does malware get on my computer?

Sometimes malware and rogue programs are unknowingly downloaded when searching online for help with a slow computer, or free virus scanners. This is what people do a lot. Malware that silently injects code onto a system when visiting a legitimate website that has been compromised through its advertising network is difficult to detect. Other infection or attack vectors include Facebook, clicking on bad links in chat programs such as MSN Messenger and Live Messenger, and clicking on infected attachments or links to phishing sites. An example of a phishing link is the spoofed seek.com email. Clicking on the link in the spoofed email leads to a phishing scam website that looks remarkably like the real thing. It’s hard to spot the difference.

One way to spot the difference is to upgrade your browser to the latest version for your operating system, and upgrade to Internet explorer 9 for suitable systems. In the address field of the URL the domain is highlighted and the remainder is greyed out. If you seen jobs.seek.com for example it is likely to be a scam because the seek domain is seek.com, not jobs.seek.com.

But some phishing emails look perfectly like the real thing. How can you tell if the email is spoofed? It’s not that hard. You can read the header of the email by right clicking on the unopened email in the Outlook 2007 window and choosing message options. Here you can see the sender domain after the @ symbol and the reply to address.
In Outlook 2010 you can enable message options to the QAT by following these simple instructions over at slipstick.com

Steps to Securing your System
You cannot run a computer without a good antivirus and malware scanner, in spite of some malware being able to shut down either of these types of defences. Malware and spyware are also often downloaded by a dropper using a Trojan to deliver the payload so AV and malware level protection is an essential, but not front line defence – anymore.

Advanced level steps:
1. Ensure your operating system is up to date. Malware will exploit vulnerabilities in the system and many critical updates in Windows are security related patches. In Windows 7 and Vista type “update” into the search (start) field and choose Windows updates. In WinXP you can find the updates website in the left pane of the control panel. Updates should be set to automatic but it doesn’t hurt to go through the steps above to check if your system is current. If you have pirated software you are at a high risk of infestation.
2. Java and the Flash Player are on most computers so it’s not surprising they are targeted by cyber-criminals. Rogue /scareware programs capable of injecting code from a website  commonly uses the CVE/Java Exploit.  To check if you have the latest Java version visit the Java test centre at Sun Microsystems.
3. On badly infected systems we sometimes find more than one malware/spyware scanner – in some cases competing with each other. We recommend ESET Antivirus and Malwarebytes which work together well. ESET is from Slovakia with an office in Brisbane and is the preferred antivirus shipped with new Intel 2nd generation motherboards.
4. The most common rogue infection is referred to as scareware (figure 1) because it wants you to believe that list of infections it’s showing you are really on your PC. Of course they are not, but it will attempt to defraud your credit card. Each time you click the red X to close the window it will install another instance of itself. This (type) of program is also known to install rootkits and keyloggers which are difficult to detect. If the malware program appears to have been removed by your AV program it may have installed its keylogger payload.
5. The Rapport web browser plugin from Trusteer.com is a highly regarded anti-keylogger tool used by many major banks in the US and Europe. The standalone version is free. Install this into your browser and click to protect specific websites such as your bank.
6. Recently we have seen a browser re-direct that is installed not in the PC, but in the router. Each request in Google search redirected to an unrelated website. The reason the bug was able to install into the router was because it had a default password. When setting router passwords or any password the usual advice is to use complex and difficult passwords. The downside to that is they are impossible to remember. The most common ways to find someone else’s password is to (a) guess (b) use brute force attacks (c) common words (guessing again). Using any of these methods involves a hacker using a script such as a dictionary script. A password like PASSWORD or FIDO3 will take between 3 minutes and hour to guess using an automated script which can be downloaded free on the web. Let’s look at a password example of gehdfa7. A brute force attack running an automated script with 100 passes per second will eventually be hacked (guessed) by the script in some short theoretical time frame (<12mths). If you create a mix of capitals such as gEhdFa7 it would be more likely to take >100 years with an automated script at 100 passes per second. But who’s going to remember gobbledegook? If you use a three word phrase like this “just in time” (with spaces or underscore) it will take in excess of thousand years to brute force hack. And bonus! You will always remember it. The places where passwords are most important is websites you visit such as ebay, banks etc.
7. The password on your computer is less important than websites because the likelihood of your PC getting hacked behind the NAT firewall on most modern routers with a password is remote. Why would your PC be worth the effort of a serious hacker anyway? But using your full name JAMES BLUNT as your login name will be recorded (a) when you upload a photo on some for sale website (b) In the meta data of a Word document. The person who terrorised a young girl in Sydney recently with the collar-bomb hung a lanyard around the girls neck with a USB thumb drive attached that had the ransom note and instructions on it. There was just the one document but data forensics found traces of deleted files including the meta data of an early word document which showed the user logged in at the time as Peter.P. The suspect in the case is Paul Peters. Word documents also contain a history of changes.

8. Using an open DNS server network helps to protect you from phishing sites and infected websites matched in the DNS databases by contributed to by over 20 million users of OpenDNS. OpenDNS is a service which also allows you to block access to Facebook and IM programs during working hours! Or at home. You can block access to naughty content at the router level which will affect all PC’s on the network. The free OpenDNS will often have a side effect of speeding up internet browsing. The VIPRE antivirus from Sunbelt Software uses a similar paid version of a DNS service called Clear Cloud to protect against infected sites and is a similarly very effective tool.
9. Be careful of other people’s USB drives. Beware the sales rep, or even the IT guy fixing your computer who inserts and opens a USB drive on your PC without a password. They could be transferring a virus, or silently installing a keylogger.
10. A lot of criminal-ware takes advantage of common download searches such as registry cleaners, system optimizers, and free antivirus scanners. Be careful what you wish for!

Call us for onsite mobile virus malware removal

© Copyright 2010. Wired Office Computers Perth WA.

Trusteer Rapport add in

Keyloggers are not difficult to install on a computer and there are variations of this type of spyware that can run in stealth mode that only an experienced technician can detect using process analysis.Keyloggers intercept data (your keystrokes) before it reaches the secure site you are logged into, such as your bank. Keyloggers run and record data regardless of secure website technology.

In addition to effective antivirus and malware protection, we install Trusteer’s Rapport security on any business computer used for financial transactions.

The home edition of Rapport is free and easy to install and gives you peace of mind when you are using your browser for secure transactions.  Internet Explorer 9 is now supported as well as firefox.

Solid state drive and data safety

We see the failure of electro-mechanical hard drives on an almost daily basis. These clumsy but delicate devices are nearing the end of their technology life and SSD (solid state drives) with large capacity and mainstream pricing will take their place. The end-of-life for these troublesome drives is welcomed, though I must point out that while everyone moans about the unreliability of IDE and SATA drives, they are built to a price and you got what you asked for. Some drives seem to be a little more reliable than others, while the WD Velociraptor is very reliable, at a price.

We would expect to see data retained when the flash drive has reached its write cycle and this presents its own security issues for enterprise, medical, and all other users where critical data is stored.  Researchers at the non-volatile-systems -laboratory found that commercial erasing programs were not entirely affective with data remnants still available to testers.

A SSD drive that is unmountable or no longer appears to be working may be mistakenly discarded with accessible data on it.

These types of malicious programs assume the name of legitimate system resources, and want your money from your bank. So far they have been very successful on several continents. The fact that we are finding so many of these bugs on systems here in Perth would indicate Western Australians are also victims.

At Wired Office we are now offering an onsite service to test PC’s for the presence of trojans, and set up advanced, multilayer protection against trojan keyloggers. Keylogger programs are silent and undetectable and either record your keystrokes or hijack a machine,unknown to the user. Standard support rates apply. If you do not require scanning, or if your PC is new for example,  we can set up anti-keylogging on your PC free of charge.

More information here.

I’ve had these types of calls myself. They claim to be from Microsoft calling to inform the user the PC is infected by a virus.  They offer to do a remote inspection to confirm the threat and either seek an IP address (the address of your PC on the internet) or direct the user to a spoofed Microsoft website to download a tool so the caller can take over the machine remotely.

If they want an IP address you could give them DOCEP’s DNS server address at 203.33.230.200. If they ask you to visit a Microsoft website and you are using IE8 you can see in the URL area that the main domain (microsoft.com) will be in bold, while the rest of the URL is greyed out.

But this is a lot to remember on the spot. Best to remember that Microsoft will never make an unsolicited call to you for any reason, especially if it involves remotely accessing your PC and eventually asking for money. Just as winning a lottery that you never entered in the first place is highly unlikely, so will be a friendly suppport call from a Microsoft engineer on another continent be unlikely.

So, for those who want to know just how secure their passwords are you can use this password checker. It’s gives a rating between poor, to good and best. It is a non-recordable password tester from Microsoft.

Here’s the patch direct link (closed).

The UAC (User Account Control) prompt in Windows Vista is a security tool to prevent unauthorized access to the system. The problem I find in the field is that there will always be a percentage of users who will click “continue” = (please allow this malicious code to run on my PC because I really don’t know any better). It may also be difficult to manage the security of a computer when it is accessed by multiple users, and you need a secure computer on your network or in the office. There is a solution to this problem. It is a fiddly, requires familiarity with the mouse and navigation in Vista, but if you want to lock down Vista and prevent malicious code from running DEP is your answer.Data Execution Prevention has been around since Windows Server 2003 and monitors the way programs use system memory.

If the program attempts to access memory in an unsafe fashion, DEP closes it down. If the program has a valid ActiveX Control it should execute correctly. If it will not install or run and you know this program is safe you can add it to the DEP allowed list. The computer needs to be restarted after DEP changes. Not every program that is blocked by DEP is malicious or spyware but if DEP is monitoring the program it can detect attempts to execute code from protected memory areas, and help to mitigate the threat of attacks. If DEP closes the program you know is safe, try checking for a DEP capable version of the program or contact the vendor before changing DEP settings.

To access DEP settings and add or remove programs from the allow list:

· Go to start

· Right click computer

· Select properties

· Select advanced system settings

· Note the UAC prompt and continue

· Select the advanced tab

· Select the performance tab > settings

· Select data execution prevention

· DEP is turned on for essential Windows programs and services only by default – choose to turn on DEP for all programs

· Restart the computer

· If a new third party program does not run and is blocked by DEP specifically you can add it to the list by (A) turning off DEP, restart PC, install new program, turn on DEP and add the exe of the program to the DEP list, restart PC.

We turn on DEP on request or for some security scenarios on our new computers. A program blocked by DEP does not always notify you. DEP is not for everyone but is highly effective if you need advanced security.

I am used to dealing with these emails like everyone else with an email address but the email I received the other day was different. It made sense in a way. We use certificates on servers to enable secure access, so why not banks? The email informed me the bank was changing over to a certificate based system for login to internet banking. A link invited me to download a customer certificate – all in the name of better security. The certificate would recognise my computer by way of the certificate.

Aside from knowing banks do not, (1) would not send an email for such a big security change, there was was the spelling (2) mistakes. Server was spelt serve for example. Banks have and use spell and grammar checkers. I get spelling mistakes on school newsletters and even the education department letters, but never on a bank letter or legal documents.

Then I closed the email, right clicked it and selected message options (Outlook 2007). Scrolling down past the delivery path of my own ISP and its spam filters, I see the return address (3) is xhjkgs@excite.com. The return path / originating path could also be blank. Real emails have real addresses.

In my case the scam targetted ANZ bank customers so i rang 131314 and reported it to bank security.