Microsoft has worms

Yesterday a relative of mine phoned me, as they do when there is some problem with their PCs.

She said that icons disappeared off her desktop, and the mouse cursor moved on the screen on its own. I asked, does she have a virus-checker installed, answer, yes but sometime ago it asked to do an upgrade but the upgrade failed.

These days I don't know what the best thing is for protecting a Windows system (she has XP), but I told her to look on shareware.com. She downloaded "Spyware Doctor" and ran it. A little while later she phoned back and said that it had found five worms!

I told her that is not very good, and possibly all her passwords and credit card details are known to a Russian gang. Probably also her PC is part of a 'botnet'.

I advised her to disconnect the PC from the Internet until she was sure that it was clean. Also, she needed to get a new credit card, and using a "clean" PC change all passwords.

She has not yet phoned back whether 'Spyware Doctor' has removed the worms. It's only the evaluation version she is using.

I am heading down to Perth later this week, and I'll have a look at her PC.

I feel real sorry for Windows users. The vast majority of people have little or no technical knowledge, for them the PC is just an appliance and is expected to work safely, like the fridge or microwave oven.


Posted on 24 Aug 2009, 8:31


Comments:

Posted on 24 Aug 2009, 8:54 by Ron
Use Puppy
Barry

You are nicer than me, I would have recommended they stop using Windows and use Puppy Linux (at least any time they are connected to the net).

I have been using Puppy for about four years and still haven't found anything better for people that just need to browse and check email. Like our 70-80ish parents.

Regards, Ron


Posted on 24 Aug 2009, 8:26 by downsouth
dual boot
For those rellies of mine who MUST use Win for offline stuff (ie games, Win specific progs), I offer dual-booting, with only Puppy for internet use. No wireless drivers on Win partition. Works well.


Posted on 24 Aug 2009, 8:36 by dogone
Puppy as a firewall
Is there a practical way to employ Puppy as a firewall for Windows systems? We are all Linux here save for my wife's XP machine. It has direct access to the net (as do all the machines) and THAT'S the problem. If I could use Puppy to protect the XP machine, I'd do so in a moment.

Simply keeping a Windows machine "off-line" is not solution. MS has issued thousands of beneficial XP patches that have substantially improved the OS.

I should mention that my wife is among those who refuse to use anything but Windows.


Posted on 24 Aug 2009, 10:09 by deniross
tool to remove them
Barry, good tip is the free standalone app from mcaffee (no install required), it's called stinger. removes the latest worms.

can be found here: http://vil.nai.com/vil/stinger/

You can keep windows xp actually very clean with a few simple steps.

disable the windows scripting host (this step alone will protect you against >80 percent of all virusses) Unless you are stupid to run a script manually.
next, run as restricted user. next only use a decent browser, with scriptblocking, and only allow scripts on sites you can trust

I never used realtime virus scanning. and never ever had a virus or worm. The only spyware i am running is skype. But directly before using skype i always use ccleaner to clean all history of opened documents, internet cache, cookies, flash supercookies. Because while monitoring skypes behaviour i saw that it runs queries on all that. Same goes for the linux version though. But i don't run skype on linux anymore. The last 3 years i only use windows XP for certain games and skype.


Posted on 24 Aug 2009, 12:36 by Terry Ritter
Windows Malware is a Puppy Opportunity
Hi Barry!

I have been running Puppy 4.12 for about 8 months and like it for browsing with better security than Windows.

In my view, we are in an era of bots, and the era of removing malware has passed. Correcting a modern malware infection generally means installing a saved OS image from the past, or an OS re-install.

Windows users need:
1. to keep current with OS updates,
2. both an external router firewall and the Windows firewall,
3. perhaps to use OpenDNS (208.067.222.222 and 208.067.220.220),
4. some free antivirus scanner,
5. Firefox with Adblock Plus, NoScript, WOT, RequestPolicy and BetterPrivacy add-ons,
6. on-line email,
7. a separate free password manager,
8. a different long random password for every device and every web site and every account, and
9. to use SSL (https://) whenever possible, but without fail when entering passwords.

One security failure of modern systems lies in exposing an easily-writable hard drive. The OS cannot protect the drive when the OS has been subverted by malware, so only hardware protection counts, and there is none. We largely have that protection when loading Puppy from DVD, which is a big security win.

DVD loading is attractive, and I use it, but write failure risks losing every file in every earlier saved session. After every DVD write the OS should verify the result. And if the write failed, the system must stay up and allow retries and alternatives until the user finally gives up.

We can make a read-only USB flash drive with a small USB card reader and an SD card. SD cards have hardware write-disable switches. Ideally, the OS would load into RAM and allow the boot flash to be removed just like we can remove a DVD, but Puppy does not allow that.

Usually I run Puppy on a system that has no hard drive at all. Where there is no hard drive, there is no hard drive to infect.

Terry
ritter@ciphersbyritter.com



Posted on 24 Aug 2009, 15:11 by Alexandru
Spybot - Search & Destroy
"Spybot - Search & Destroy" is the best free software for Windows that removes spyware and other kinds of malware from your computer:
http://www.safer-networking.org/en/tutorial/index.html

Spybot S&D should work with Wine on PuppyLinux to clean the Windows partition, as it features "full Wine support".


Posted on 24 Aug 2009, 15:13 by cthisbear
Windows cleanout How to.
Barry.

See my How to Clean out XP reply.

http://forums.whirlpool.net.au/forum-replies.cfm?t=1261484&p=3

If your relative uses those boot cds she has
a chance to clean her system.
Links are all in the Whirlpool post.

Dr.Web LiveCD
Avira AntiVir Rescue System Boot cd
and then Hirens.

AntiVir Free Version as her regular scanner
is a great product.

//////////

Yes puppy sure gives you freedom.
Plus heaps of extra time.

Post this to her, anyway.

Regards Chris.



Posted on 24 Aug 2009, 18:30 by happypuppy
Protecting an XP box
"I don't know what the best thing is for protecting a Windows system (she has XP)"

Enable the Windows firewall,install AntiVir Free, immunize the system with Spybot S&D and use Firefox/Opera instead of IE.



Posted on 24 Aug 2009, 24:46 by prehistoric
had good luck with Comodo
Like you, I have friends and relatives who refuse to be weaned away from Windows. This last year has been particularly hard on them.

Several reputable commercial products have failed miserably in protecting them. Once a system is compromised it can be extremely hard to clean, unless you are prepared to reformat the disk and reinstall everything. (You know how few people are willing and able to do this.)

When I maintain a Windows system (which I will only do for special friends) I try to keep an image of the entire (uninfected) drive off-line, so I don't have to start from scratch after an infection. In the simplest case, I merely roll back to the last known good version and install essential updates, then have them change passwords. I suggest that activities like on-line banking should be done from a different system, running out of RAM, so it can't easily be compromised. (Guess which OS I recommend.)

My current favorite for free software protection is Comodo Internet Security. This has removed infections that had previously defeated popular tools from Norton and other companies. (You should start with a full scan of the disk at installation time. Current worms can lurk in all kinds of places.)



Posted on 24 Aug 2009, 24:50 by prehistoric
more on malware
(continued from previous post)

I have been shocked by some of the malware I have encountered recently. Some now goes after the anti-malware program itself, since this loads ahead of everything else. Even removing an instance of an infection can leave you open to reinfection from infected periodic tasks. I found one jammed into an HP update task. (This is not to say there is something bad about HP, only that people are targeting popular programs which run as updaters accepted by the OS.)

In one case, I had a four-hour battle with malware that had me thinking "Where is Sigourney Weaver?" It managed to reinstall itself repeatedly, and deliberately clobbered popular anti-malware programs. You may need to download programs on an uninfected machine, because the infected machine will selectively deny you the internet connections you need. If something about networking doesn't add up, you should consider infection. Unfortunately, with Windows Update opening multiple download threads, it is not easy to tell it from malware. Maybe there is no difference.

One more wrinkle has resurfaced, which prompted me to post here. The old trick of popping up messages which purport to be from your antivirus is back. It even goes so far as to display characteristics of well-known malware for which there are simple solutions. The catch is that it is faking. The simple solution no longer works on it. It also posts warnings of multiple infections which are not present. I caught on when one of the warnings mentioned things which were never in that machine. The suggested solution is to pay money for a custom tool which will solve the spurious problems by removing the single program causing all the messages. For all I know, it may leave a back door for later exploitation. This has appeared with several different "skins". I suspect versions are generated with professional malware creation tools.

On Windows, only the paranoid survive.



Posted on 25 Aug 2009, 5:30 by playdayz
Linux Browsing Appliance
Anyone using Windows should consider running a virtual machine with Puppy to do their browsing. VMWare Player and VirtualBox are both free of charge and can quickly start Puppy, as quickly as starting any Windows program. Then windows users can do their browsing in the safer linux environment. We have at least two ready to go.

http://www.murga-linux.com/puppy/viewtopic.php?t=45028

http://www.murga-linux.com/puppy/viewtopic.php?t=44707

plus we have at least one "qemu Puppy" but it has never run for me.



Posted on 25 Aug 2009, 8:30 by zygo
good luck
Yes Barry, very sad about unwitting ms users.

prehistoric, you put it well! I haven't been on the frontline in recent years like you but that description is all too familiar from those I know who have been.

You'll be going into the field with a Puppy liveCD with extras: Spybot Search & Destroy (updates Wednesdays) and Stinger (updates rarely) they can be run from a CD. IE sadly must be used by that OS for updates -- but nothing else. Firefox uses IE sometimes so Opera for browsing. You might want to look at agnitum outpost firewall free 2009. Their original freebie was very good when I used to run an ms box - as I will soon have to again. I like the look of Comodo IS's firewall too.

From http://technet.microsoft.com/en-gb/sysinternals/default.aspx these can also be run from CD: Process Explorer and AutoRuns which I used to stop the bundled security software from pestering me. Thus avoid putting personal details on the hard disk.

Do not ask a general-purpose search engine for links to anti-malware. Instead search for approvals, with links, on a reputable publication's website -- eg guardian.co.uk . Search engines are incapable of approval.

Get her to use Puppy for 30 mins as a condition of you helping her. Even if she can not practically do without xp. Well try again.

By coincidence Puppy is costing a healthy 6 pounds in the UK with a free copy of a linux magazine in the shops -- I can't find the mag online. It must be good - it costs money.

Also I've just read a very, very sad story at http://www.guardian.co.uk/technology/2009/aug/12/ethiopia-computer-virus .



Posted on 25 Aug 2009, 24:32 by Nan M
Nuke and repave
That's a black hole you're approaching.
If your experience is anything like the few I've had lately with a couple of XP machines, much time can be saved by a format and clean install.
In the event that saved files are infected, you will have lost about 25 minutes of what will be a marathon - if data has to be disinfected - and in the event that data isn't infected, you can have the rest of the time saved enjoying your friend's company.


Posted on 27 Aug 2009, 6:43 by Terry Ritter
Windows Malware
Removing malware is what we did in dial-up days. Modern malware can set up a bot and join a herd almost instantaneously on broadband. Malware can hide in a rootkit that Windows cannot see. The bot can pretend to be a valid process. The bot can download a range of low-tech malware so the owner has something to find and remove. Then the scanner says "nothing found," and the hidden bot remains.

Using Windows to scan for root-kit-protected malware probably is a waste of time. We do not know how to find all possible rootkits. Thus, malware scans should be done from a live DVD so rootkit files are exposed. I could almost recommend the Avira AntiVir Rescue System, except it did not recognize the video card on my media PC, and I did not see how to save the log so I could address the problems from Windows.

Scanning is limited to finding what somebody else has already found, analyzed, and introduced into the signature files. Scanning has little hope of finding "zero day" attacks, directed and limited attacks, or modern polymorphic or self-encrypting malware. Scanning does not protect individuals very well, but it might help society by limiting major outbreaks. Unfortunately, malware scanners cannot certify a computer as "clean."

Once a bot is in the herd, there is no way to know what has been done, and thus no way to reverse it. We may find the loader, or even the bot, and still not be able to put things as they were. Microsoft can and should do more, but currently the way to get rid of malware is to recover state from an uninfected OS image, or to re-install the OS. For noncommercial Windows imaging, I recommend Macrium Reflect Free from download.cnet.com.

Terry
ritter@ciphersbyritter.com



Posted on 28 Aug 2009, 18:35 by adi
cloud antivirus
I use windows on a separate desktop computer because of the drivers needed for several periferials. I have installed an antivirus from www.cloudantivirus.com. They say it's a low resources and forget about it software.


Posted on 20 Sep 2009, 5:33 by Aitch
Forget viruses - run in a sandbox, if you MUST use windoze
This issue has been posted many times in the Forum.
I always recommend & use SandboxIE
http://www.sandboxie.com/
Run any browsing session in a sandbox - delete it when finished
Safe for emails/chat/ebay/paypal/banking/browsing etc...

Any virus/phishing attempt is contained in the sandbox
You can remove things to save them, but MUST run an Antivirus on them before opening!
Otherwise, use playdayz Virtual Puppy, I recommend that, too
Aitch :)
Safe browsing