malware and the daily mail who apparently do not care

 

1. Yes, very interesting. I have never heard of a legit antivirus company offering to remote to a pc to “check you machine over”, ESET included (and I use ESET). Looks like trouble to me.

   However, Malwarebytes is one of the best anti-malware tools out there. Another good one that is free is Kaspersky’s TDSS Killer. When I do virus removals I generally start with the Kaspersky tool simply because it finds and removes some bugs that start with the PC and prevent other tools from working. Then I move to Malwarebytes, and other things if needed.

   Judging from the list you posted, those are Adware type files that can cause re-directions to occur in the browser. Let Malwarebytes remove them, reboot, then go to Control Panel, Internet Options, pick the Advanced tab and reset the browser.  Chances are the problem will be solved.

   Posted by John C       09/07/2012  at  03:50 PM  



2. You’ve just posted the main reason I have stayed with Firefox, No Script, and Ad Block Plus. I go to many weird sites tracking down various things - due to Alpha testing some computer games, a lot of them are in Russia and other former Soviet block countries. I like being able to see what sites are linked to the main site (neat little add-on called Collusion) in a nice compact diagram.

   One very serious word of advice, make sure you know who it really is, before you are giving remote access to your computer. IMO, the risk is 1000 times greater than the reward.

   Posted by jackal40       09/08/2012  at  05:59 AM  



3. Jackal, ESET is my AV. Been with them for years. They are always quick to respond. Emails are answered pretty quickly and if I want to call them I can. And NO CALL centers in India either.
   They were the ones who some while ago, downloaded Malwarebytes for me as well as other apps. CC Cleaner being another. 

   John, yeah. ESET ppl are really great here.  Don’t know what they’re like in the US but they are super helpful here.  I don’t have to call on them too often, thankfully. But when I have, they have even cleaned up a mess of my own making and gone beyond what they must do. I guess I’m saying they go that extra mile.

   Posted by peiper       09/08/2012  at  08:50 AM  



4. I forgot something.
   Jackal ... I was using Firefox.  But the problem was the site itself.

   I was using Chrome as default for quite awhile, I like some aspects of Chrome but I think it’s slowed down a bit and have found FF to be faster now.

   Posted by peiper       09/08/2012  at  08:52 AM  



5. This reply got long.  Sorry Peiper, but I wanted to make sure you were properly armed against the forces of darkness.

   To further expound on what Jackal said (and I’m really glad he mentioned those add-ins for Firefox!):

   Viruses, trojans, and various other malware need a way to execute in memory on your machine before they can activate and become dangerous.  Denying them a vector into your system is the name of the game, and it’s smart to set up a multi-layer security system to make their goal unachievable where your machine is concerned.

   I’ll also include the layers that can involve “post-infection” scenarios.

   Let’s build this onion from the inside-out:

   1.  Full System Backups
   2.  MBAM and other anti-malware scanners/cleaners
   3.  Virus scanner
   4.  Hosts Blocking and Ad-block Plus
   5.  Script blocking
   6.  Browser security settings and cookie blockers

   Starting on the inside layer: 

   1.  Full System Backups.  The literal last line of defense.  Keep your backup drives/media offline/disconnected unless you’re backing up or restoring.  Nothing can infect a powered-off hard drive. 

   If your backup was done when the system was clean, you can always do a full sytem restore from your backup drive.

   I like Acronis True Image (Home).  It’s stand-alone, meets all my needs, and is simple to use.  I can make a bootable CD-R or Bootable USB stick with the Acronis software (which has a nice visual GUI, mouse control, and support for all sorts of media/file systems.) I use that instead of my operating system to boot with which makes sure the operating system (if infected) can’t interfere (it’s JUST inert data at this point, since you’re not booting from it.)

   Acronis’ only drawback is it isn’t very fast, but it is thorough and it has saved my bacon a couple of times.

   2.  MBAM and other anti-malware scanners/cleaners.  You’re already infected, your virus scanner’s offline for some reason, and you need to locate and terminate the malware that’s infected your system.

   You hope you never need these, but short of a full system restore, these can help you get bad things off your computer.

   Do NOT trust online scanners, there’s a host of them that ARE malware purporting to be white knights to save you.  Don’t believe them, too many of them are lying, and are trying to compromise your system THROUGH YOU. 

   Oh yeah, I should mention this:  Wetware compromises, ie, your mind.  Don’t be the weakest link in your security.  If any browser window asks you for permission to do something that you don’t recognize, DON’T TRUST IT.  Don’t even trust the buttons for OK or CANCEL in it.  You don’t that know that CANCEL isn’t hooked to the very routine that will infect you.  Don’t trust the “X” that closes the window either.  Load the task manager via CTRL-ALT-DEL and KILL FIREFOX.EXE.

   3.  Virus scanner.  The last line of defense before actual infection; this is the “Oh CRAP, they’re inside the front gates!” defensive layer.  If your virus scanner saves you, be eternally thankful for it, and find out why you even needed to rely on it because that means something penetrated the rest of the layers of your security.

   4.  Hosts Blocking - a blacklist of sites that will prevent our machine from ever being able to contact.  Security model:  “That which is not forbidden is automatically permitted.”

   Malware on sites is often hosted “off-site” on another server/site.  The little bastards that crack/infect sites will modify a legitimate site’s HTML or PHP or Javascript code to try to automatically pull the malware into your browser session.

   Advertising sites are one of the favorite targets for malware authors, because advertising tends to be used by multiple sites, and has lots of viewers.  You don’t have to infect the site, if you can just get one advertisement infected with a malware payload.  It is for this reason that I block malware AND advertising sites as much as is feasible.

   There’s a few methods for blocking these sites:

   a) By rerouting their site addresses to an IP Address of 127.0.0.1 in the workstation’s HOSTS file
   b) Using a similar trick to block them for your entire in-house network via your own name server (advanced, not discussed here further)
   c) Use a browser plugin (like Ad-Block Plus, which Jackal mentioned.)

   Let’s look at method (a) first, the Hosts file:

   You can block ANY site by adding it to your system’s HOSTS file, and putting in a matchin IP address of 127.0.0.1.  This is the “Loopback” address which points right back to your own machine, which isn’t running a web server, so the request to go to that site dies instantly.

   Here’s an example:

   Let’s say I want to go to “MyFavoriteSite.com”.  They’ve had their site compromised, but I don’t know that.  Hidden in the javascript is a call to “InfectThisGuysComputer.com”. 

   My browser will try to grab the content from “InfectThisGuysComputer.com” to show me, but first it tries to resolve the IP Address.  Thanks to my HOSTS file entry, that comes back as 127.0.0.1 (instead of its real IP address), the browser tries to connect back to my machine, can’t, and that call goes no-where.

   For complete site blocking, I use two sources of information:

   (I) The MVPS.ORG hosts file

   (II) The PGL.YOYO.ORG hosts file

   I save these to two separate text files (mvps.txt and yoyo.txt), then copy them together with the following statement in a command window:

   copy mvps.txt+yoyo.txt blockhosts.txt

   Then, I edit my C:\windows\system32\drivers\etc\HOSTS file (there’s no extension on that) with Notepad, open the blockhosts.txt file with notepad, and cut and paste the huge block of sites to the end of my HOSTS file.

   All of those sites are now permanently BLOCKED.

   It is important to note that you should update your blockhosts.txt, and refresh your HOSTS file with the new information on a semi-regular basis!

   As I said, we’ll skip (b) (the name server method) except to say it’s the same idea, only each site shows up as a re-route to 127.0.0.1 in the DNS server configuration files, so every workstation in the local network that uses the local DNS server to resolve addresses is automatically protected.  Same idea, wider effect.

   (c) Ad-Block Plus:  An add-in for Firefox that Jackal mentioned.  It performs a similar function, using their online database of advertising and bad sites to block content thus reducing your exposure to infected advertisement code/widgets/whatever.

   5.  Script-blocking using a “If you’re not permitted, you’re automatically forbidden” security model.

   This is where the “NoScript” Firefox add-in comes into play.  I can’t say enough good things about this add-in, it’s a life-saver.

   The theory is this:  All viruses/trojans/malware require a way to execute code on your machine to get up and running in memory.  No execution, no infection.

   Many sites use javascript to provide menus, search functionality, etc.  The malware authors count on this, and try to embed their own javascript, usually via a third party site (advertisements, or other code hosted elsewhere the website relies on.)

   NoScript blocks ALL javascript by default, allowing only what you say is okay.  When you go to a site, noscript blocks everything and builds a list of each site that’s trying to feed you content via javascript. 

   You can then pull up the list, and allow the site, either temporarily or permanently (so you don’t have to allow that site each time.)

   I usually try enabling JUST the site I’m trying to contact (temporarily) to see if that’s enough to get me what I want.  I also have to sometimes allow other sites to see all of the content (ie, youtube.com + ytimage.com are permanent allows for Youtube in order that it function correctly on its own and inside other people’s web sites.)

   It can take a bit to get the hang of what you should allow, and what you shouldn’t, but by using “temporary” allows, you can experiment, and there’s even a “Revoke all temporary permissions” so you can (like an etch-a-sketch) start over easily if you think you went too far in your allowances, or you want to try a different combination.

   6.  You may also want to set your browser to clear out cookies, browser history, etc… Some sites I like to keep persistent cookies for as it’s handy, but most cookies I want to throw out.

   I use an add-in called “BetterPrivacy” (version 1.68) that helps me clean up flash based supercookies that try to persist even if I manually clean out regular cookies.

   That’s all I can think of off the top of my head on a Sunday morning over coffee. 

   Posted by Argentium G. Tiger       09/09/2012  at  08:47 AM  



6. Great Points Tiger! I need to check out this BetterPrivacy add-on, but since I very rarely allow a flash based site I am fairly confident of my security there.

   Also, great point on the hosts file - I run my own AD/DNS/DHCP within my network and use the DNS redirect for site I find objectionable. For a home user, the hosts file is a good idea.  Be aware, many malware writers will attempt to change or delete the hosts file in an attempt to prevent this. Also, changing the hosts file can break your ability to get anywhere if done wrong - make a backup of the original and slowly add changes, once you have it working to your satisfaction BACK IT UP AGAIN.

   Posted by jackal40       09/09/2012  at  09:13 AM  



7. Jackal:  Thank you sir!

   Your point about malware being able to attack a workstation’s HOSTS file is well made.  As you said though, it’s still a valuable step for home users to perform.  It’s an additional way to prevent initial infection, which is the name ofthe game.  Once malware gets a chance to actually execute on the local computer, you’re in a whole different fight.

   Posted by Argentium G. Tiger       09/09/2012  at  07:15 PM  



8. Jeez guys .... looks like I have some heavy duty homework in store.
   I’m not up to the level you guys are so it’ll take a bit of time to all sink in and take root. First, I believe I need to print out this stuff. Easier to study then always refer back to a puter screen. 

   btw, Have CC Cleaner. Any thoughts on that app?

   Thanks much.

   Posted by peiper       09/10/2012  at  04:32 AM  



9. Peiper:  Here’s a couple more helpful links that’ll take you directly to the two most helpful add-ons for Firefox that Jackal and I have been mentioning:

   - No-Script Add-On for Firefox
   - Adblock-Plus Add-On for Firefox

   And… You can search Youtube for how-to videos on how to use these things.  A co-worker put me on to that idea of how-to videos on Youtube, and it’s really paying off.

   - YouTube Search:  How to use NoScript
   - YouTube Search:  How to use Ad-Block Plus

   Hopefully that’ll make your homework easier!

   Oh, and since you’re one of the site admins, be aware that by default, certain additional sidebar widgets for BMEWS may appear to no longer work once NoScript is installed.  No worries, that’s normal function.  Just figure out what site the widgets are hosted on, and permanently re-enable those sites in no-script, and functionality should be fully restored.  (Just didn’t want you to be surprised.)

   Posted by Argentium G. Tiger       09/10/2012  at  06:05 AM  

Commenting is not available in this weblog entry.