Category Archives: Malware

Microsoft Word Vulnerability

Microsoft released a security bulletin yesterday warning of a vulnerability in Microsoft Word. A user is exposed when opening a malicious document created in ‘rich text format’ (RTF extension).

Microsoft’s fix is to disable the automatic opening of RTF documents; no patch has been issued.

Although Microsoft leads one to believe that the vulnerability exists in Word 2010, Outlook 2007, Outlook 2010 and Outlook 2013, I wouldn’t trust any version!

So folks, if you receive an email attachment in RTF format, for the foreseeable future, don’t open it!

New, dangerous, malware threat: ransomware

I don’t want to sound alarmist, but I have a responsibility to you and your data safety.

There is a new and dangerous outbreak of computer virus going around. I ask that you continue to be extra vigilant so that your data and files are not affected. Not only would data on your computer be affected, but data on any “shares” would also be affected.

Ransomware, has been around for a while. Most of what I’ve seen is accompanied by an FBI warning. The screen indicates that you are infected, or that you’ve been logged in participation of some illegal activity. Further, you are prompted to submit a sum of money to get yourself out of the situation, hence the name, ransomware. This particular threat takes the idea further. It encrypts your files so that they are inaccessible until you pay the sum, at which time the software will decrypt your files and return them to you. The consensus of opinion in the field is that, barring being able to restore a usable recent backup, there is no way of recovering your data without paying the ransom.

Remember this: the most common method of infection is by way of the computer user.

The best preventative method is user education. Here are the best tips to avoid infection:

1) Please make sure that “Hide extensions for known file types” is disabled in Windows Explorer on your computer. Instructions are below. I’ve posted here on that topic before!

2) Please do NOT open email attachments with the file extension “ZIP” or “EXE”, most importantly. Other file extensions, including PDF can contain threats. Know the sender and if in doubt ask for assistance.

3) Be aware that people try to trick you into thinking files are safe by trying to hide the extension. For example: filename.pdf.zip is a ZIP file and immediately suspect and dangerous. (This is especially dangerous if “Hide extensions for known file types” is enabled because the previous example would appear as a pdf: “filename.pdf” – note: the hidden extension is “.zip”)

4) Please be suspect of PDF files you receive by email. If you don’t know the sender, ignore it. If it looks suspect or something doesn’t seem right, it probably isn’t. I see many fictitious emails sent from “Administrator”, or even my own email address or domain, with subject lines such as “invoice attached”, “Payroll reports”, “purchase order” – all sorts of ways to trick you into thinking the attachment is not only legitimate, but important. BEWARE!

5) Install all updates – to Windows, to Adobe Acrobat, to your anti-virus application.

6) Back up, back up, back up – back up your files!!

How to disable “Hide extensions for known file types”

Windows XP users: Double click on My Computer. Choose the Tools menu, then Folder Options. Click on the View tab, and in the box labeled Advanced settings, scroll down until you see “Hide extensions for known file types” and make sure that there is no check in the check box. Lastly, click OK.

Windows 7 users: Click the Start button, then Computer. Press Alt + T on your keyboard then click Folder Options. Click on the View tab, and in the box labeled Advanced settings, scroll down until you see “Hide extensions for known file types” and make sure that there is no check in the check box. Lastly, click OK.

Article: http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/

Better Understanding of Malware

I have repaired many computers and have encountered most forms of malicious software. The question I am asked most often by the infected party is “How did it happen?”. After the fact, that is a very difficult thing to determine.

The term “computer virus” has become a catch-all phrase that incorporates all forms of “malware”, “spyware”, and “adware”. The thread that binds these malicious programs together is the fact that they are employed for nefarious purposes. The differences, briefly, include the “worm” which can travel from machine to machine over a network exploiting security holes in operating systems and programs, the “virus” which is self-replicating and must be executed (run – like any other program), and the “trojan horse” which, true to its name, presents itself in some friendly way, concealing malicious intent, and must also be executed.

The best way to avoid worms: keep your software and operating system up to date by installing the latest security patches, and use a firewall.

To avoid viruses: install and run a reputable antivirus program, and keep it up to date. Don’t install software if you don’t know where it came from. If it’s free, unless it was recommended by a reputable source, I avoid it. Avoid file-sharing: music and video are commonly shared files and often the source is unknown. Avoid opening email attachments where the file ends in “.exe”, “.zip”, “.bat”, “.com”, “.vbs”, “.scr” to name a few (make sure “Hide extensions for know file types” is unchecked in Windows Folder Options, under View). Be careful of Microsoft Office files that contain “macros” – again, know the source.

To avoid Trojan Horses: remember ‘”all that glitters is not gold”, know what types of alerts are legitimate Windows alerts and know the legitimate alerts from your particular anti-virus program. Also, follow the steps for avoiding viruses.

With regard to email messages, don’t fall for messages that try to create a sense of urgency with statements like “Your account has been compromised” or “Your account information has been stolen”. These email messages generally provide a link where you can “log in” to correct the situation. In reality, these emails are cover for a “phishing” scheme where you are lead to a phony web page, created to look incredibly realistic. Once you enter your log in credentials – you’ve just given the schemer all he/she needs to know: that you have an account at Bank of America/Wachovia/TD Bank, that your user name is XYZ and your password is 1234.

Look closely at the link contained in the message. Generally, a user friendly address is provided indicating ‘bankofamerica.com/login’ when the address behind the link is along the lines of ‘bankofamerica.iwillgetyou.com/login’. As you should be suspicious of strangers at your door, or telemarketers asking questions like ‘what’s your street address?’ and ‘What kind of security system do you have?’, you should also be suspicious of an email telling you that your account has been compromised and providing a link for you to ‘log in’. If you are unsure, log on to your account by typing the actual web site address yourself, or by using the link saved to your “favorites” – or call the company in question and ask if they sent out an alert. Most companies will tell you that they would never send out an email of that nature and would instead suspend your account until you reinstate it. By the way – Microsoft will never contact you by email to let you know that there’s an update you need to install.

Recently, I received a call from someone who was very alarmed by what she was seeing on her computer screen. Apparently, there were pop-ups and messages indicating the presence of “viruses” and “trojans”. Not knowing whether those pop-ups were legitimate or not, I suggested that she simply power off the computer. She did better than that! She put it into standby which enabled me to later pick up right where she left off. Because of that, I was able to document a trojan attack attempt. I detailed it in the hopes that it will help you guard yourself against similar attempts. Visit the next page if you’d like to see a malware attack in progress.

Further Information / Reading:

If you have any questions about what you’ve read, or have similar experiences to share, please don’t hesitate to drop me an email.

Malware attack in progress

If you’ve reached this page, you received my email about a recent web browsing experience that led to a mailicous attacker attempting to dupe me into installing a trojan on my PC.

Read below to follow the series of events. You’ll know how to avoid the situation yourself, should it arise.

Click any of the images below for a larger version

1) After innocently clicking a link to a desired web site, I was redirected to a url at http://extra-security-scanv.com.

The first thing that appeared was a (JavaScript) pop-up alert: “Warning!!! Your PC needs to install antimalware software! Antivir can perform fast and free scan of your computer .” [sic]

I clicked the ‘Cancel’ button, but nevertheless, was redirected to another web page.

2) The subsequent page was designed to look just like a Windows (XP) Explorer Window – ‘My Computer’. Notice, however, that it appears within the browser window – in this case Firefox.

Notice the warning in red: “All information on this PC can be stolen” and the text in the red box – “Your Computer is Infected”

Looks very convincing doesn’t it?

Just look at all those problems that this scan picked up: 97 trojans in my ‘Shared Documents’ folder, 334 in ‘My Documents’, 353 on the C: drive and even 78 on the D: drive!

4) After attempting to close the tab, another JavaScript alert pops up stating: “This computer is under attack They can seriously harm your private data or files, and should be healed immediately.Return to Antvir and download it secure to your PC” [sic].

Again, I clicked cancel and was redirected to yet another page:

5) This time, mind you still caught in a craftily constructed, malicious, web page, a very authentic looking Windows Security Center window complete with a red “X” in the corner to close the window!

6) Now here’s the ‘gotcha’. Clicking that security center window initiates the download of Setup_2001-15.exe – the real threat.

The only time my computer was in any real danger, was when the final popup prompted me to download and install the Setup_2001-15.exe file. That would have been the point of infection and that, my friends, is why this type of attack is referred to as a ‘trojan horse’. It is an attack that is meant to trick you into inviting your very foe inside your (fire)walled and protected city. In essence, I would have infected the machine myself.

At this critical point – simply cancel the download. That’s right, click the ‘Cancel’ button. In fact, if you encounter a similar scenario, keep clicking the ‘Cancel’ button, no matter how many popups appear. At the first opportune moment, close your browser window, then clear your cache (Temporary Internet Files). For those of you with experience using the ‘Task Manager’, use it to end the task.

Keep your cool. Don’t be alarmed by the ‘red alerts’, and the overwhelming number of ‘threats’ found on your computer. All you are seeing is an animated web page deceptively trying to fool you into installing malicious software.