Saturday, April 10, 2010

Computer Malware - How well did the System hold up?

I recently had the first virus infection on my home computer since the early nineties. It was a particularly nasty Java exploit called XP Internet Security 2010.

This seems to be quite a widespread thing, easily catchable, you just have to visit a web site that has various advertisements on it and according to some reports it has even infected the advertising on the US White Pages sites.

So, I guess that what was interesting about this whole thing is how well the anti-virus and anti-malware systems held up.


McAfee
I used to say that McAfee protects my system but now I'll just have to say that it's resident on my system - at least until it expires. Then again, since it was about as useful as an umbrella on a battlefield, it might not even last that long. McAfee's firewall and Anti-virus didn't even pop up a speech bubble during the entire infection episode. Talk about pointless software - All it seems to do is slow the system down with pathetic real-time scans.

Symantec
At work, we used to be big Symantec users until a series of faults in several of their software products and their sudden abandonment of some expensive hardware led me to abandon their entire platform. Nevertheless, I started looking for a Symantec solution as soon as it became apparent that McAfee was insufficient. Unfortunately, all of my googled searches kept finding the same page.

To cut a long story short, on this page, a user offers a convoluted (and dangerous) means of removing the infection and all the other users talk about how Symantec's products are still unable to detect the malware. The last post was 5 days prior to my own searches, so it seems that Symantec is not much help either.

Browsers
Before I start talking about using other tools to fix the problem, I just want to make a point about browsers. I use Google Chrome, which supposedly is immune to this sort of stuff. It obviously isn't. I noticed the problems when they first happened and followed steps to remove the problem. I thought I'd got it but obviously hadn't.

The thing is, that my computer worked fine for a few more days. The only noticible change was that Internet explorer was back on my Start bar as the default browser. I checked the settings in Chrome but it was still the default.

Eventually, I decided to click on IE just to see whether it would start Chrome or try to take over. That was when my real problems started.

The lessons from this;

  1. No browser is completely safe but Chrome is certainly safer than many.

  2. Internet Explorer is almost completely unsafe. I used version 8, with all the latest service packs and updates. It was still completely vulnerable and exposed my system. Nobody should use Internet Explorer for anything other that Microsoft Updates (and even then, if we're ever allowed to use a different browser, switch immediately).

Microsoft Security Essentials
This performed a full system scan - in fact, it's still doing it as I write this. So far, it's found nothing and it's been running over an hour (and looks to be about 10% complete). A fast solution it isn't - but I have hope that it's thorough.


PC Tools Spyware Doctor
I've always had a bit of a bias against the windows version of PC Tools. I guess it's because I got burned by the DOS version somewhere along the way, or because it fights with McAfee and causes our systems at work to freeze. In any case, I decided to give it a go, not expecting much.

It did the fastest scan out of everything I tried and detected the malware within minutes. It then popped up a dialog box telling me that it would only fix the problems if I paid for it first.

The price wasn't too bad and I was seconds away from paying for it but given that I've got known and active malware on my computer right now... do you REALLY think I'm going to put my credit card details in? Maybe I'll still buy it but I decided to look for a free solution first.


Spybot Search and Destroy
This software has always had a place in my heart. It's free and it's very good. I've had it on all of my computers but since this one has only recently been reloaded, I forgot. I downloaded it and ran it.

It's still running as I type but at least it's already identified some problems.


Microsoft Lunacy
First of all, it's identified two of those fantastic Microsoft Windows Registry Keys which have been modified.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride

What is this crap!!

Seriously... Who puts these registry keys there anyway? Why are they even possible?

This is completely a Microsoft Problem. It's like Ford building a car and building in special provisions for something to disconnect the temperature warning gauge. It's complete rubbish. It's building a system to fail.


Resolutions
After running for about 70 minutes, Microsoft Security Essentials finally detected...

Trojan:Win32/FakeRean

It suspended the task and asked me if I wanted to remove it. I did and it's gone (I hope). Of course my Task Manager is still screwed but maybe a reboot will fix it. In any case, Microsoft Security Essentials scan is still only at about the 25% mark so perhaps there's more to come.

Thus far the answers are;

  1. Download and run Spybot Search and Destroy. No Windows PC should be without it.

  2. Download and install Microsoft Security Essentials.

  3. Make sure that you have a firewall and Anti-Virus program but don't rely on them. Also; remember that it's not necessarily true that on-access scanning is "better" than regular (nightly) full scans.

  4. Take Regular Backups - and maybe make Windows Rescue Disks (although in all honesty, I'm yet to see a situation where they actually work as intended).

  5. Use a safe(er) browser like Chrome but don't rely on it as 100% foolproof.