Virus infections return in spite of doing the right things!

Virus infections return in spite of doing the right things!

I've been successfully cleaning computers of virus and spyware for over 10 years now, and only in recent months I'm seeing properly protected computers getting infected in spite of the user doing all the right things. (I.E.; Good anti-virus/spyware program(s) installed, weekly scans performed, and only going to safe websites.) A cleaned computer is typically getting re-infected within 1 to 3 months.

Upon questioning various users of infected computers as to what they were doing around the time the computer got infected, I'm beginning to narrow it down as to where the problem is. So far, it's looking like the common factor is Email! I suspect that they are clicking on links within their Email from trustworthy friends or relatives to view an amusing or interesting video or website. I believe the website itself is bringing on the infection. The infection is getting past all the most common AntiVirus programs such as.. MSE, AVG, NOD32, McAfee, and Norton.

I'm now advising folks to be extremely cautions and try to avoid clicking any links within an Email unless you know exactly what it is. For example, you just purchased something online and receive a confirmation Email with a link to track your order. And that Email better have your name & specific info about you indicating it's legitimate!

Another example.. Your best friend sends you an Email about the funniest video he ever saw with link to click on. I'm saying DO NOT click the link! The video might be legitimate, but the website may infect your computer! The "bad guys" could be changing the method of infection so frequently that no AntiVirus program could ever keep up with it in it's definitions.

Bottom line, Email seems too risky anymore to use for sharing trivial info, pics, videos, etc.. If you like sharing those sorts of things, use Facebook which is safer than Email.

Thoughts, & opinions welcome.

---pete---

 

Facebook is still NOT safe..

Remember CLICKJACKING attacks?

 

What networks are they connecting to when they get infected?
How strong is their router security set up?
Is someone connecting to their network with an infected system?
Do they have or use a Hardware Firewall?
Are they running a trojan software or CD intermittently?
When reinstalling the OS what wipe methods do you use?

Ask them to bring in their router for review.

Maybe set up a batch script that will run DDS, Oldtimer or similar programs daily or once a week to a log file on your repeat customers. Tell them about the install and suggest a 3 month checkup to review the logs.

 

The thing is, there aren't safe websites. There are legitimate and illegitimate websites, and sometimes legitimate websites get compromised and either host malware/malicious code and/or redirect users to malicious URLs.

Yes, indeed, many infections do come from such type of e-mails. Funny videos, presentations of some sort and with nonsense content, etc.
Other times, they may eventually also receive e-mails for friends with URLs, and sometimes, such e-mails aren't, personally, sent by their friends, but by someone else who has hijacked their friends e-mail accounts.

Something more than an AV is needed. Regarding e-mails, and generally speaking, a containment solution is needed, such as sandboxes/virtualization.

But, my experience is that, they'll still be compelled to watch the video. Hence, what I previously mentioned stands: sandbox/virtualization.

Is it so? The experience could be safer, though.

Facebook isn't a monster. Sometimes it does bring REALLY GREAT usefulness! These days, I saw a news about a family that, after like 10 years, got their daughter back, because she created a Facebook page, telling parts of her story (she didn't know it all, though)! That's how her family found her! How amazing is that?!

 

Right, Facebook is not 100% safe but it's more secure than Email. Plus the fact that once 1 person is harmed from a specific link on Facebook, it's more likely that the other people will be notified quickly and protected from the same mistake. Besides all that, Email just seems like the old way of sharing info with groups of people.

 

You make some good points about other ways the virus can be getting in and I will look into those. Thank you.

Are you talking about Wireless Security of their router?

I clean a computer using at least 3-4 different programs and rarely resort to reinstalling the OS. If I do reinstall the OS, I delete partitions, repartition and reformat.

If the same exact virus was returning I'd suspect the computer was not fully cleaned, but it's a different virus each time and often it's a re-infection after 2 months have passed from the last cleaning, which suggests to me the user is coming in contact with a new virus. The BIG question that comes to mind is why won't the antivirus program(s) stop the attack? They used to be effecitve. And.. if we can't rely upon the antivirus program for protection then we have to focus more upon how to avoid the attack in the first place.

What I'm going to do is discourage my few problematic customers from clicking on any link within an Email and see if that solves the problem.
My gut feeling is that Email links are the real risk to be avoided.
I'll report back my findings in a few months.

Thanks for the suggestions and tips!

---pete---

 

I have to educate myself on the containment solution. This might be the key because I also noticed lately a large increase in hijacked Email accounts that send out dangerous Emails to everyone in the address book.

Thanks!

---pete---

 

Pretty much everything, how is it configured, including wireless?
What ISP do they have?

 

Entrusting so much personal and financial information to technology and yet keep falling for these lame traps. Humanity never fails to amaze me.

 

I have Sandboxie Paid. I force all web browsers to sandbox, have internet access and start/run restrictions and have the Sandboxie option enabled for running something like LUA for sandboxed applications. A few months ago I made and started using a sandbox just for Outlook 2003.

Yes, some sort of virtualization like Sandboxie is needed. Since there is still a slight risk of something getting through, routine System Partition Imaging to secure storage should also be done.

 

Just two thoughts come to mind upon reading…

PEBKAC

As I’ve suspected for the longest time, antivirus/antispyware is largely useless - at least on its own. A better approach is sandboxing or a default-deny, whitelist approach using SRP, AppLocker, or some other means of anti-executable, which could also include configuring a decent HIPS this way.

BTW petef, did you ask them if they are running as administrator or standard user when these infections occur?

 

exactly what it came to my mind when i was reading the thread
cant antivirus be blamed for slipping new malware of their database every time ... IMHO

 

Answer: Administrator.

I thought about setting up a 'Safe User" account with limited access but in the long run this creates problems and I'm just not very confident that it will offer much protection on an XP computer.

As a general rule, I know that a standard/limited user account can help security as well as password protecting all user accounts and the administrator account. I may wind up doing all those things. Initially I'm going to try to get them to stop clicking on links within the Emails to see if that helps.

---pete---

 

ISPs are typically Comcast or Verizon.

Router config is a bit complex to speak about here. Some have routers, some do not. Wireless is typically set for WPA2. Otherwise, the routers probably just have the default settings.

My feeling is that the router is an extra level of protection and the antivirus & antispyware software should be able to stop the attack. If not, then the user probably needs to do something differently to avoid the problem.

The common thing I'm finding amongst these problematic users is that they are all "Seniors" who are not all over the Interent. They mainly do Email, some online banking, and mainly use largely safe websites. Each one of them receives Email from friends with links to click on in order to view a video or interesting website.

---pete---

 

I'll look into it. Thanks. These users are seniors so it has to be something I can install which is seamless because they can't handle anything too complex.

I found out a long time ago that the novice user can't even handle a firewall because they panic and block access anytime an alert pops up. After that, something legitimate stops working.

---pete---

 

I suggest doing the following along with Drop Rights enabled.

https://www.wilderssecurity.com/showpost.php?p=1639411&postcount=185

 

Everyone,
I may have found at least one part of the problem and solution!

On one of the problematic computers of this thread that I now have in my shop, I had the computer just about all cleaned up again and noticed that a new virus file was being detected. As it turned out the Windows Task Manager was loaded with about 30 scheduled tasks that were attempting to download malware into the computer on an hourly schedule. I deleted all those scheduled tasks and re-ran all my scans. So at least on this one computer, I have an explanation as to why the computer became reinfected after it was cleaned.

So everyone, please remember to check the Windows Task Manager for unusual tasks scheduled that could be downloading malware hours after you've cleaned the computer.

This still does not explain how this particular computer got infected in the first place, so I'm still going to advise the user NOT to click any links in Emails even from trusted friends. I'll ask that they respect that rule for a month or so just to see if the computer stays clean. After a month or so, they can click those links and we shall see if they get infected again within a month or so.

---pete---

 

Thanks for all the info on the Sandbox concept!
---pete---

 

Hi, Pete, few things:

1. What was the actual downloader for there malware via scheduled task? Browser? Or a malware itself?

2. Are you sure you take care of any rootkit stuff well enough. Latest ones esp TDL series are really stealth.

3. If you really think that e-mail and browser are malware vectors, just sandbox them, no more malware, i reassure you. There is geswall free that wil do the job.

4. In my experience, USB devices and memory sticks are the main source of malware for XP( not a problem in windows 7 though). I wil recommend NoAutorun for that.

Do you check their USB devices, memory sticks and external hard driver etc for auto-run and .lnk exploit malware?

 

Just use DropMyRights when you set up their PCs to launch risky apps from editied desktop/quicklaunch shortcuts under standard user privilages - they'll never know the difference.

It's hardly as robust as a sandbox, but it's far easier and usually makes any cleaning easier afterwards.

 

It's bit complicated and i'm not sure how the entire process operated, but below are some clues.

NOD32 indicated...
h t t p ://f i r a s b i l l.c o m/idebil.php?sdfsdgf=490, JS/TrojanDownloader.Agent.nwg
(spaces added above to keep link from being active here.)

There were many DOS Batch files in the folder.. C:\Documents and Settings\NetworkService\Application Data

I'm not quite sure what the scheduled task was defined as because I simply deleted the tasks.

When a scheduled task would run, a JAVA Script would be added to the folder.. C:\Documents and Settings\NetworkService\Application Data

I manually deleted all the scheduled tasks and DOS Batch files.
NOD32 deleted all the JAVA script files.

I ran scans using MSE, NOD32, SAS, and MB. I also ran TDSSKILLER which has proven more effective than the Olmarik Cleaner found on this site.
All the above run on infected HD slaved to a clean PC, then
run again after reinstalled HD to computer.

No USB devices involved here, but I'll keep that in mind in the future.

---pete---

 

So on this note I would definitely support others who are recommending a sandboxing approach. If you set restrictions on only specific apps that are allowed to access the Internet, enable drop my rights, and perhaps set it so it deletes all contents upon exiting, then you've got a fairly bullet-proof solution for less savvy users. This is similar to how I've set things up for my kid's machines, using Sandboxie, and no issues for ~ 6 months now. Better yet if you could add a standard acount for them which they use for all their surfing and email (from a sandbox of course) and general purpose use, that's even better, although I do understand this would add considerable work for you.

 

Maybe try running some ARK's like GMER, Kernel Detective and XueTR, to ensure you've gotten all of the lurchers.
Kernel Detective is pretty thorough, but requires debugger skills.
XueTR is just as thorough but you can export each window to a text file to get some help if you don't understand something.

TDSSKiller doesn't always detect what's out there, cat and mouse game continues.

I think for any Sandbox solution, any writes that can occur to the real disk is the weakness that can allow malware persistence to occur. For simplicity, I like Defensewall, Geswall, and Sandboxie.

 

PeteF,

Are the users running the current version of security software. And I dont mean a 2009 product with the latest definitions, but rather a 2011 product.

Also, what email clients are they using ?

 

-In addition to other recommendations, use ad-blocking software. Most of the time when a legit website servers malware, it because some ad server is hacked and than all the legit sites that display ads from that server serve the malware.