Beware of Malware

malware – n. Malicious computer software that interferes with normal computer functions or sends personal data about the user to unauthorized parties over the Internet.
 
The American Heritage® Dictionary of the English Language, Fourth Edition Copyright © 2006 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.

After spending a good part of the weekend helping a friend out, I figured I should post about this as a general warning to other people out there. Thanks to the growing number of Web Applications and Cross Site Scripting vulnerabilities, it seems that anyone could be at risk of getting some kind of infection. In the past few weeks, I have seen a particularly dangerous one appear, just by using MySpace. Given that she was logged into MySpace and based on what she told me, this is probably what happened to her.
Malware Alarm Popup
First, a Malware Alarm popup appears. It uses JavaScript to reduce your window to a size smaller than this popup and moves that window so that it is hidden under the popup. As you can see, you are presented with two choices: OK and Cancel. I don’t know what happens if you click OK, but I just clicked Cancel. (When presented with popups like this, make sure you read what it says. Some might reverse is so the proper answer is OK. Remember this is Malware we are talking about.)

Malware Alarm Scanning Page
Next, after pressing Cancel, it will restore your browser window to close to full-screen and bring up a page that looks like it is Scanning. This is the screen shot of the result. To you Macintosh people, this will be plainly obvious. As you can see, it is made to look like it is Windows XP. XP being the majority operating system that people are using. I have recently switched to Vista, which has a different look, so it is obvious to me as well. But for the unsuspecting XP user, they might click OK and allow the software to be installed if it even has to ask being installed. My friend probably got infected because her system still had IE 6 on it. Even though she was using Firefox, the JavaScript was able to inject code on her machine because she had a vulnerable version of Internet Explorer on her machine.

Another thing that helped her get infected was she did not have a current/running version of VirusScan. She had McAfee installed on her machine, but it kept asking for her to verify her subscription before it would turn on and protect her. I had her log in to verify her subscription and sure enough, her subscription had expired. Had she kept her subscription current, she may have been able to prevent this.

Steps You Should Take
Never ever click on any pop up without first reading it. It’s a pain, but it’s even more of a pain to recover if you click the wrong thing.

Always keep your system up to date. If you have Windows, turn on automatic updates. Visit update.microsoft.com to check for updates.

Always keep your Virus Scanning software up to date. If you need to renew your subscription, just pay for it and renew it. In the end, it could save you a lot of money. Most places would charge you a couple hundred dollars to do the kind of cleaning that was needed to clean the system. They will also probably recommend a clean install, but this is primarily because they are lazy and/or they don’t really know how to clean a system.

Check Add/Remove Programs (XP) or Programs and Features (Vista) for Malware. Some aren’t quite as malicious as others and actually allow themself to be uninstalled from a computer.

Tools that I use in cleaning system (running windows)
This next section is a list of some of the tools that I use in cleaning a system. Many of them are free or can be acquired for free for personal use. With some of these tools, however, it takes a little bit of knowledge to use properly.

Stinger: If you don’t have any Anti-Virus software, this is a good place to start. It will clean your system of several known popular viruses. It doesn’t provide any protection, but can help in removing certain virus infections.

Anti-Virus Software: I don’t want to recommend any one specific product, because frankly, I haven’t used them all. However, if you are a part of the UT Community, you can download McAfee Anti-Virus for free. If you are not part of the UT Community and want a free solution, AVG seems to be the solution many people use.

Spybot Search & Destroy: This program will help to identify the malware programs that are on your machine. It can attempt to remove them as well. You might need a little bit of knowledge to run this.

Spyware Blaster: This program helps to immunize your system (More thorough than Spybot S&D) against many common exploits malware uses to get itself installed on your machine.

HiJack This: This program is definitely useful for removing Browser Help Objects that are malware. This program also definitely takes a good bit of knowledge to run. You must be able to identify what hooks belong, and those that don’t.

CWShredder: This is the CoolWeb Shredder application. If Spybot identifies CoolWeb on your system, you may need to use this to properly remove it.

RootKitRevealer: This application definitely requires some advanced knowledge to use, but can really help you identify files and registry entries that are hiding. Malware is often in the form of a trojan or hidden rootkit. An example registry entry might be a hidden exception for the firewall that will allow the malware traffic.

Unlocker: This program will help you delete files that are in use. Often times after running Spybot, it would hang when it was trying to delete a file. The malware may attach itself to several running programs thus making it unable to be deleted. As with any time you are deleting files, you need to know that what you are deleting really isn’t needed.

Ad-Aware or Microsoft Windows Defender: Once the system is clean, install something like Ad-Aware or Defender (Defender is installed on turned on by default in Vista). This will help catch any future infections or attempts at malware being installed on your machine.

Microsoft Malicious Software Removal Tool: This program is included in the automatic updates from Microsoft. It is silent if it doesn’t detect any of the programs it can detect.

Winsock XP Fix: Finally after removing all the malware, you may find that your Internet Connection does not work. This program is definitely one of my secret programs. It basically simplies Microsoft KB Article 811259 by performing all the tasks automatically. This program is no longer in development, so I’ve just linked to the top site that is providing it. I would not recommend running this under any operating systems but Microsoft XP. I’ve successfully run it on many different XP machines, just not sure how well it would run in Vista.

Repair Install (XP): If all else fails, this is the last step you could try before resorting to a Clean Install or buying a new computer. You will need your original Windows install disc. Follow method 2 in this article.

Note: These programs are “tried and true” methods for repairing an XP machine. By now, if you are running Windows, you should be running at least XP Service Pack 2 or Vista. If you are not, you should definitely upgrade to XP SP2. I have only been using Vista for a couple of months now. I am still learning the ins and outs of it (like I know XP). While some of these methods will work under Vista, I have not had to fix a Vista machine yet. Even though UAC (user access control) may be kind of annoying, it will definitely help in intercepting malware programs before they get installed on your system.

Technorati Tags: , , ,