To inform entertain and excite my kids, Jamie, Patrick, Aaron & Sarah Middleburgh, our family and friends.

about me
photo of Dave Middleburgh
Hong Kong

blogspot visit counter
  powered by BLOGGER

Middleburgh:Curse of the Botnets

middleburgh plagued by false alert A month ago a colleague came into work and asked my advice about a virus on her husband's new PC. He went surfing over the weekend before applying his sunblock and anti stinger cream( firewall and antivirus) and consequently ended up with a trojan giving a very persistant false alert that his hard disc was corrupt, the world was ending and he needed to buy some "windows" recovery software yesterday!.

The following morning I was woken by my wife who through clenched teeth accused me of corrupting her hard disk; As it happens I had booted up a new linux distro from a USB drive in the wee hours (it's sleep therapy really!!) and even though I take scrupulous care not to update the boot sector of her windows hard drive it was possible that Ihad cocked up!! Imagine my relief when I discovered that it was the same virus that infected "hubby's" PC although that was tempered by fact that our PC was running an fully up to date version of McAfee Antivirus software.Our PC runs Vista and has His and Hers logins. The malware was only active against my wife's profile, although when I logged in using mine the PC was suspiciously busy in the background (disc had a life of its own and the PC was busy communicating over the net.)

When I tied to clean the PC (full scan) McAfee detected and removed a Trojan identified as FalseAlert!GB (an oldy from 2007?).However a browser window opened and closed on it own and I believe the trojan reloaded .Worse when I disconnected the PC from the network, to kill the traffic that was slowing the system down, it simply turned the connection back on. After I did this twice I decided to physically switch off the WIFI router. I could have simply switched off the PC wifi card but switching the router was psychologically more satisfying. I was buggered if I was going to let the PC play on its own!!

The fact that within space of a day 2 unrelated PCs in my ken, had fallen victim to malware begged the question as to whether any of other of my assets might have been compromised. Apart from my wifes PC , I have a company Laptop running Vista Professional, an old PC running various flavours of Linux and a netbook which our Filipina helper uses except when I take it on holiday to England.

At work we had only just changed the antivirus software used from McAfee to Sophos so I kicked off a full and deep scan (the first)on my work PC . Suprisingly it found and removed 2 unrelated viruses. One was in the inbox of my #2 email client (this holds inbound email for last 7 days as a contingency in event the my primary client crashes - It's never used otherwise: The implication was that I had received a virus infected email in the last week . Here's hoping that either Sophos had removed it on access or that I deleted the email from my primary mail without opening it ! (I actually junk 50% of my inbound email including work emails on the basis that if it was important the sender would have (or should have) phoned). The second trojan was buried away in a registry backup. Not being satisfied I also downloaded and run the AVG Rescue Package against the PC and then in safe mode (which unsafely switches Sophos off - go figure!!) ran Malwarebytes against it . Neither found anything else which was reassuring.

All the versions of linux on my old PC are fully patched up; hardened, with firewalls and clam AV. There is an argument which says that viruses and trojans are not a problem for Linux since they are nearly all written for windows environment.I think this is a complacent and false view so I do the obvious..

My wife's PC was a bit more of a challenge: Fortunately it had 2 logins which meant I could get in and run tools. Most home PCs only have 1 user profile (typically with administrator rights) which makes life difficult if it gets screwed. "Good Practice" is good for a reason .Normal user profiles should NOT have administrator rights Makes it more difficult for malware to automatically download software and hijack a PC.(and that without locking down the browser) Every PC should have independent administrator profile .. nuff said!

Anyway I updated McAfee and kicked off a full and deep scan - it detected nothing. I then turned off McAfee and ran in sequence theKaperesky Virus Removal Kit, Microsoft Safety Scanner and finally MalwareBytes. Each reported and removed 1 or more viruses mostly in backup files although it was Malwarebytes which seemed to finally remove the problem trojan. it was then just a matter of unhiding all the files and folders which it had hidden.... to be back up and running or so it would seem .....

Consider this : you have a virus scanner and a firewall enabled which fail to prevent one or more trojans being downloaded Whats the worst that can happen ?? Nasty people delete your personal files like photographs, they take over your machine, and bandwidth , they steal your user ids and passwords to impersonate you, implicate you in illegal file downloads; pornography, paedeophilia, money laundering and other illegal activities etc ; they steal your financial details eg bank account and credit card to plunder your accounts, destroy your credit worthiness and so on ...... The evil scumbags !!!

My wife's biggest concern was of course the photographs..... mine was whether I had really got rid of ALL the trojans and if so could they return. I insisted that the next day we bought an external drive so my wife could back up all her files ...especially the photographs. I then crawled all over her PC tightening it up wherever I could . I discovered that although installed, Microsoft Defender had never been run - this was easily fixed Also Lenovo auto backups were enabled even though they hadn't run for 2 years because the PC had run out of disc space.. Whats the point of backing up on the same drive - not a lot of use if your drive dies !!. a traditional external 3 generation backup set works for me!! . To resolve this problem I simply uninstalled the software (including the old backup files) and then reinstalled the newer version before generating a new backup to the external drive.In the process I freed up over 50% of her disc space which coincidentally makes virus scanning much faster. I also reset her IE9 privacy and security settings (she doesn't use IE but it's now so tight she probably couldn't ) Amongst other things temporary files are cleared completely at session end; I have removed all addons and tool bars except java run time and reset internet security for both internal and external to high. Similarly I removed unnecessary add ons, extensions and tool bars from Firefox and disabled all user id and password saving through out the system, clearing every password off of the machine and set housekeeping to delete files by session. I did consider installing some anti key logging software but decided against because there is a potential adverse performance hit.(works by remapping keyboard so that keylogger records rubbish or so the theory goes) . I am looking at router based firewall options and/or setting up a proxy server to block anything which might be leaking out from the PC or seeking to infiltrate it. (turning PC off when not in use is a good idea - not just putting in sleep mode !!) And I will be doing monthly malware scans use Malwarebytes and the like.until I am satisfied it's clean. They do say you can never trust a PC once it has been compomised.

It wasn't until I tried to run a McAfee scan on the netbook that I realized I might have a real problem. The HP netbook runs XP and IE8..Our helper Marylou had also installed Yahoo Messenger which the security team at work consider monumentally "unsafe". Basically the system seemed to be busy doing its own thing. Browser response was slow and there was a frequent and annoying Visual C++ popup indicating that a "program was tying to close down a process in an unexpected way". Since I couldn't get McAfee to complete a full scan properly I turned it off, and run in sequence the Kasperesky Tool, AVG Tool, Microsoft Tool and Malwarebytes. Between them they identified and removed about 12 different Trojans. I am not convinced these were active trojans, suspecting they may be files associated with trojans which were not properly identified and cleaned out by McAfee on previous (successful scans) . However since I would expect a trojan developer to modify and build upon existing trojans there is a risk assocaited with leaving residual files in that they may be coopted by a newer trojan. I realised that the Microsoft Defender hadn't been installed so I fixed that and for good measure reinstalled the McAfee, I went through the IE8 settings in same way as on my wife's PC and upgraded/tuned Firefox. I removed Yahoo messenger and installed Pigeon as a safer alternative. Running out of time for further changes I gave the netbook back to Marylou. After a week I repossessed it and rerun the Malwarebytes.I didn't find anything new but when I checked the following week 2 trojans previously removed were back. After clearing these the Visual C++ popup came back (if it ever went away) and I came to conclusion that that something was propably trying to shut down McAfee since it again was not responding properly when I tried to update or run a scan. I tried cleaning the registry, installing a later version of Visual C++ runtime libraries to no available . My wife pointed out there were lots of posts on the Symantic forum about Visual C++ problems with suggested fixes but this only confirmed to me the obvious that some viruses targeted common virus software. Whilst I might fix this McAfee problem it might be better to simply use another reputable virus scanner which is what I did ,selecting Avira from the Microsoft partner list, (the paid version is used by my wife's company - a large Telecom) and a firewall from Checkpoint. On its first scan it detected and removed a suspect virus which shuts down processes (Appl/Killapp.A ) - Quelle suprise... and behold the Visual C++ popups have stopped. (might of course be a pure coincidence!!)

This still leaves me with a usage issue. MaryLou is familiar with IE and prefers to use it rather than Firefox (if I have to I will delete it to force her) I suspect that what people say about security vulnerabilities associated with IE8 and XP may be really true (and not marketing hype) .In the last analysis I have an alternative solution - I can instal Linux on the netbook !! I have already done so on her home PC and that one now runs like a rocket without any problems !!

| More