Virus infections return in spite of doing the right things!

Discussion in 'malware problems & news' started by petef, Mar 2, 2011.

Thread Status:
Not open for further replies.
  1. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    Virus infections return in spite of doing the right things!

    I've been successfully cleaning computers of virus and spyware for over 10 years now, and only in recent months I'm seeing properly protected computers getting infected in spite of the user doing all the right things. (I.E.; Good anti-virus/spyware program(s) installed, weekly scans performed, and only going to safe websites.) A cleaned computer is typically getting re-infected within 1 to 3 months.

    Upon questioning various users of infected computers as to what they were doing around the time the computer got infected, I'm beginning to narrow it down as to where the problem is. So far, it's looking like the common factor is Email! I suspect that they are clicking on links within their Email from trustworthy friends or relatives to view an amusing or interesting video or website. I believe the website itself is bringing on the infection. The infection is getting past all the most common AntiVirus programs such as.. MSE, AVG, NOD32, McAfee, and Norton.

    I'm now advising folks to be extremely cautions and try to avoid clicking any links within an Email unless you know exactly what it is. For example, you just purchased something online and receive a confirmation Email with a link to track your order. And that Email better have your name & specific info about you indicating it's legitimate!

    Another example.. Your best friend sends you an Email about the funniest video he ever saw with link to click on. I'm saying DO NOT click the link! The video might be legitimate, but the website may infect your computer! The "bad guys" could be changing the method of infection so frequently that no AntiVirus program could ever keep up with it in it's definitions.

    Bottom line, Email seems too risky anymore to use for sharing trivial info, pics, videos, etc.. If you like sharing those sorts of things, use Facebook which is safer than Email.

    Thoughts, & opinions welcome.

    ---pete---
     
  2. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Facebook is still NOT safe..

    Remember CLICKJACKING attacks?
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    What networks are they connecting to when they get infected?
    How strong is their router security set up?
    Is someone connecting to their network with an infected system?
    Do they have or use a Hardware Firewall?
    Are they running a trojan software or CD intermittently?
    When reinstalling the OS what wipe methods do you use?

    Ask them to bring in their router for review.

    Maybe set up a batch script that will run DDS, Oldtimer or similar programs daily or once a week to a log file on your repeat customers. Tell them about the install and suggest a 3 month checkup to review the logs.
     
  4. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The thing is, there aren't safe websites. There are legitimate and illegitimate websites, and sometimes legitimate websites get compromised and either host malware/malicious code and/or redirect users to malicious URLs.

    Yes, indeed, many infections do come from such type of e-mails. Funny videos, presentations of some sort and with nonsense content, etc.
    Other times, they may eventually also receive e-mails for friends with URLs, and sometimes, such e-mails aren't, personally, sent by their friends, but by someone else who has hijacked their friends e-mail accounts.

    Something more than an AV is needed. Regarding e-mails, and generally speaking, a containment solution is needed, such as sandboxes/virtualization.

    But, my experience is that, they'll still be compelled to watch the video. :D Hence, what I previously mentioned stands: sandbox/virtualization.

    Is it so? ;) The experience could be safer, though.

    Facebook isn't a monster. Sometimes it does bring REALLY GREAT usefulness! These days, I saw a news about a family that, after like 10 years, got their daughter back, because she created a Facebook page, telling parts of her story (she didn't know it all, though)! That's how her family found her! How amazing is that?!
     
  5. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    Right, Facebook is not 100% safe but it's more secure than Email. Plus the fact that once 1 person is harmed from a specific link on Facebook, it's more likely that the other people will be notified quickly and protected from the same mistake. Besides all that, Email just seems like the old way of sharing info with groups of people.
     
  6. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    You make some good points about other ways the virus can be getting in and I will look into those. Thank you.

    Are you talking about Wireless Security of their router?

    I clean a computer using at least 3-4 different programs and rarely resort to reinstalling the OS. If I do reinstall the OS, I delete partitions, repartition and reformat.

    If the same exact virus was returning I'd suspect the computer was not fully cleaned, but it's a different virus each time and often it's a re-infection after 2 months have passed from the last cleaning, which suggests to me the user is coming in contact with a new virus. The BIG question that comes to mind is why won't the antivirus program(s) stop the attack? They used to be effecitve. And.. if we can't rely upon the antivirus program for protection then we have to focus more upon how to avoid the attack in the first place.

    What I'm going to do is discourage my few problematic customers from clicking on any link within an Email and see if that solves the problem.
    My gut feeling is that Email links are the real risk to be avoided.
    I'll report back my findings in a few months.

    Thanks for the suggestions and tips!

    ---pete---
     
  7. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    I have to educate myself on the containment solution. This might be the key because I also noticed lately a large increase in hijacked Email accounts that send out dangerous Emails to everyone in the address book.

    Thanks!

    ---pete---
     
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Pretty much everything, how is it configured, including wireless?
    What ISP do they have? :D
     
  9. Someheresomethere

    Someheresomethere Registered Member

    Joined:
    Feb 17, 2011
    Posts:
    71
    Entrusting so much personal and financial information to technology and yet keep falling for these lame traps. Humanity never fails to amaze me.
     
  10. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I have Sandboxie Paid. I force all web browsers to sandbox, have internet access and start/run restrictions and have the Sandboxie option enabled for running something like LUA for sandboxed applications. A few months ago I made and started using a sandbox just for Outlook 2003.

    Yes, some sort of virtualization like Sandboxie is needed. Since there is still a slight risk of something getting through, routine System Partition Imaging to secure storage should also be done.
     
  11. wat0114

    wat0114 Guest

    Just two thoughts come to mind upon reading…

    PEBKAC

    As I’ve suspected for the longest time, antivirus/antispyware is largely useless - at least on its own. A better approach is sandboxing or a default-deny, whitelist approach using SRP, AppLocker, or some other means of anti-executable, which could also include configuring a decent HIPS this way.

    BTW petef, did you ask them if they are running as administrator or standard user when these infections occur?
     
  12. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    :thumb: exactly what it came to my mind when i was reading the thread
    cant antivirus be blamed for slipping new malware of their database every time ... IMHO
     
  13. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    Answer: Administrator.

    I thought about setting up a 'Safe User" account with limited access but in the long run this creates problems and I'm just not very confident that it will offer much protection on an XP computer.

    As a general rule, I know that a standard/limited user account can help security as well as password protecting all user accounts and the administrator account. I may wind up doing all those things. Initially I'm going to try to get them to stop clicking on links within the Emails to see if that helps.

    ---pete---
     
  14. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    ISPs are typically Comcast or Verizon.

    Router config is a bit complex to speak about here. Some have routers, some do not. Wireless is typically set for WPA2. Otherwise, the routers probably just have the default settings.

    My feeling is that the router is an extra level of protection and the antivirus & antispyware software should be able to stop the attack. If not, then the user probably needs to do something differently to avoid the problem.

    The common thing I'm finding amongst these problematic users is that they are all "Seniors" who are not all over the Interent. They mainly do Email, some online banking, and mainly use largely safe websites. Each one of them receives Email from friends with links to click on in order to view a video or interesting website.

    ---pete---
     
  15. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    I'll look into it. Thanks. These users are seniors so it has to be something I can install which is seamless because they can't handle anything too complex.

    I found out a long time ago that the novice user can't even handle a firewall because they panic and block access anytime an alert pops up. After that, something legitimate stops working.

    ---pete---
     
  16. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I suggest doing the following along with Drop Rights enabled.

    https://www.wilderssecurity.com/showpost.php?p=1639411&postcount=185
     
  17. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    Everyone,
    I may have found at least one part of the problem and solution!

    On one of the problematic computers of this thread that I now have in my shop, I had the computer just about all cleaned up again and noticed that a new virus file was being detected. As it turned out the Windows Task Manager was loaded with about 30 scheduled tasks that were attempting to download malware into the computer on an hourly schedule. I deleted all those scheduled tasks and re-ran all my scans. So at least on this one computer, I have an explanation as to why the computer became reinfected after it was cleaned.

    So everyone, please remember to check the Windows Task Manager for unusual tasks scheduled that could be downloading malware hours after you've cleaned the computer.

    This still does not explain how this particular computer got infected in the first place, so I'm still going to advise the user NOT to click any links in Emails even from trusted friends. I'll ask that they respect that rule for a month or so just to see if the computer stays clean. After a month or so, they can click those links and we shall see if they get infected again within a month or so.

    ---pete---
     
  18. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, Pete, few things:

    1. What was the actual downloader for there malware via scheduled task? Browser? Or a malware itself?

    2. Are you sure you take care of any rootkit stuff well enough. Latest ones esp TDL series are really stealth.

    3. If you really think that e-mail and browser are malware vectors, just sandbox them, no more malware, i reassure you. There is geswall free that wil do the job.

    4. In my experience, USB devices and memory sticks are the main source of malware for XP( not a problem in windows 7 though). I wil recommend NoAutorun for that.

    Do you check their USB devices, memory sticks and external hard driver etc for auto-run and .lnk exploit malware?
     
  20. redgrum

    redgrum Registered Member

    Joined:
    Nov 16, 2010
    Posts:
    50
    Just use DropMyRights when you set up their PCs to launch risky apps from editied desktop/quicklaunch shortcuts under standard user privilages - they'll never know the difference.

    It's hardly as robust as a sandbox, but it's far easier and usually makes any cleaning easier afterwards.
     
  21. petef

    petef Registered Member

    Joined:
    May 30, 2008
    Posts:
    38
    Location:
    USA, NJ
    It's bit complicated and i'm not sure how the entire process operated, but below are some clues.

    NOD32 indicated...
    h t t p ://f i r a s b i l l.c o m/idebil.php?sdfsdgf=490, JS/TrojanDownloader.Agent.nwg
    (spaces added above to keep link from being active here.)

    There were many DOS Batch files in the folder.. C:\Documents and Settings\NetworkService\Application Data

    I'm not quite sure what the scheduled task was defined as because I simply deleted the tasks.

    When a scheduled task would run, a JAVA Script would be added to the folder.. C:\Documents and Settings\NetworkService\Application Data

    I manually deleted all the scheduled tasks and DOS Batch files.
    NOD32 deleted all the JAVA script files.

    I ran scans using MSE, NOD32, SAS, and MB. I also ran TDSSKILLER which has proven more effective than the Olmarik Cleaner found on this site.
    All the above run on infected HD slaved to a clean PC, then
    run again after reinstalled HD to computer.


    No USB devices involved here, but I'll keep that in mind in the future.

    ---pete---
     
  22. wat0114

    wat0114 Guest

    So on this note I would definitely support others who are recommending a sandboxing approach. If you set restrictions on only specific apps that are allowed to access the Internet, enable drop my rights, and perhaps set it so it deletes all contents upon exiting, then you've got a fairly bullet-proof solution for less savvy users. This is similar to how I've set things up for my kid's machines, using Sandboxie, and no issues for ~ 6 months now. Better yet if you could add a standard acount for them which they use for all their surfing and email (from a sandbox of course) and general purpose use, that's even better, although I do understand this would add considerable work for you.
     
  23. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Maybe try running some ARK's like GMER, Kernel Detective and XueTR, to ensure you've gotten all of the lurchers.
    Kernel Detective is pretty thorough, but requires debugger skills.
    XueTR is just as thorough but you can export each window to a text file to get some help if you don't understand something.

    TDSSKiller doesn't always detect what's out there, cat and mouse game continues.

    I think for any Sandbox solution, any writes that can occur to the real disk is the weakness that can allow malware persistence to occur. For simplicity, I like Defensewall, Geswall, and Sandboxie.
     
  24. qakbot

    qakbot Registered Member

    Joined:
    Aug 25, 2010
    Posts:
    380
    PeteF,

    Are the users running the current version of security software. And I dont mean a 2009 product with the latest definitions, but rather a 2011 product.

    Also, what email clients are they using ?
     
  25. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    -In addition to other recommendations, use ad-blocking software. Most of the time when a legit website servers malware, it because some ad server is hacked and than all the legit sites that display ads from that server serve the malware.
     
Loading...
Thread Status:
Not open for further replies.