Jul 162014
 

Malware comes in many different forms, and two of the supposedly less damaging aspects are spyware and adware, which keep track of your activities and display advertising selected by your activities. This sounds relatively harmless, but there are concerns.

Firstly you may not be happy allowing a less than totally scrupulous advertising agency access to your computer and to send them details of your Internet activities. Apart from the gross invasion of privacy, the information can be very revealing in security terms – what bank you use, etc. And there are no guarantees that an advertising agency that uses adware or spyware is going to keep your personal details and information safe.

Secondly, it is very common for a machine that has one spyware install to have more than one … dozens, or hundreds is not impossible. Because spyware is constantly running (or it tries to run constantly), the more spyware you have installed, the slower your machine is.  It is not unknown for people to buy a new machine because they think their old machine is faulty when it is really just overloaded with spyware.

Next, spyware is malware. Although “well behaved” spyware isn’t any more malicious than the stated purpose of spyware, the nastier spyware is, the more likely that it will add more malicious features. Spyware can (and does) act to install additional spyware, and in some cases, it can load genuine malware. So allowing spyware free reign on your machine can sometimes result in much nastier infections.

Possibly including the nastiest form: ransomware.

Surprisingly, anti-virus products do not always protect against spyware and adware. In addition to the fact that anti-virus products are not 100% effective against anything, they do tend to concentrate on viruses specifically and not malware in general.

So having a good anti-virus product is no guarantee that you will not get infected. But you will definitely get infected a great deal quicker without one, so it is of great benefit to check your anti-virus product on a regular basis. Perhaps set up a calendar item to do so every three months.

In some cases of very bad infections that we have seen, the computer owner believed that they were safe because they had anti-virus protection installed, but they had chosen not to renew the anti-virus subscription. So it was running, but not performing any actions.

How Do I Get Infected?

As to how adware/spyware gets installed, it is not possible to say with certainty as there are so many different ways. But some of them are detailed below :-

One of the ways is to entice you into downloading and installing the software itself. Commonly labelled as some sort of helpful utility, or potentially pretending to be some sort of game, the process of installing the utility also installs the adware/spyware.

You have trusted the rogue software installation which has abused that trust. The solution is to only install software from trusted sources. That doesn’t mean not to install anything from the Internet, but software installed from the Internet should be checked to make sure it is from a reasonable site.

The next method that adware/spyware gets installed is via a browser exploit.  Any outdated browser will have some security holes, and some of those security holes allow for the invisible installation of software – including adware/spyware. These invisible installations can be found on the dodgier parts of the web (not necessarily what you’re thinking!), and through advertising banners on quite legitimate sites.

The solution is to keep your browser up to date and attempt to use a less widely used browser, as different exploits are required for different browsers. Whilst inconvenient, it may be necessary to run two browsers – one for particular sites that are fussy about what kind of browser they work with, and one for more general web browsing.

You could try to avoid “dodgy” websites, but in practice it is difficult to identify such sites given that it isn’t really the main content of the website that is dodgy. Even legitimate websites can become “dodgy” if a malicious spyware author breaks into the website to add their spyware.

Finally, one other very commonly used method is to use adware/spyware to install more. If you have a malicious piece of adware/spyware installed, it can itself “call home” to search for additional adware/spyware to install.

Removal – Background

Removal is a difficult task as the authors of adware/spyware do not want you to be able to remove it, and so they take defensive measures. In some cases this means that some adware/spyware is not removable by ordinary people.

And of course this means that the method of removal could be to hand the problem to somebody else (someone whose time you’ve paid for). If you are doing this yourself, the following list a number of methods decreasing in effectiveness.

Doing this yourself is certainly possible, but it is worth setting aside at least a couple of hours for it. It is best done slowly and carefully.

Ultimately the only safe method of removal is a complete re-installation. Wipe the hard disk and start again. Obviously this is a bit extreme, but is worth considering if your computer is misbehaving so badly that you are considering replacing it, or if your computer’s infections are costing you money.

The next most effective method is to boot your computer off a “rescue CD” (or increasingly a USB disk), which can remove viruses and/or other malware in a clean environment. If you allow your computer to boot when it is infected, the infections have the chance of controlling the environment to hide themselves.

Removal – Rescue CD

One of the most popular of such rescue CDs is Kaspersky Rescue CD, although there are a number of others. Once downloaded, it can be written to a CD (or a USB stick), used to boot the computer and follow the on screen instructions. If you want to read up on it first, there are plenty of guides available to walk you through the process.

Protection & Removal – Safe Mode & Anti-Malware

The remaining methods are not guaranteed to remove everything because they operate whilst your normal computer is booted within it’s normal environment. However they can be effective against less pernicious malware, and of course are easier to operate.

You can make the remaining methods more effective by booting in “Safe Mode” where Windows does not start every service it normally does. Safe mode can be enabled by invoking the “Advanced Boot Menu” by holding down F8 whilst the computer boots.

Once that starts, use the arrow keys to select “Safe Mode with Networking”. This will take longer than normal, and look somewhat different too as Windows shows you what is happening rather than display an animation screen. When in safe mode, you can manually start your anti-virus product and anti-malware product and scan your system.

The first thing to have running for protection is of course the much maligned anti-virus product. Whilst this is not a perfect solution as it doesn’t catch everything, it does try and prevent the nastiest forms of malware.

And because recent versions of Windows includes an anti-virus product for free, there is no reason not to be running one. Microsoft Security Essentials is a perfectly adequate anti-virus product for the home computer, and isn’t in danger of running out of it’s subscription period.

If you use an alternative, please check that it is in a healthy state on a regular basis.

It may sound like repeating the same protection, but supplementing an anti-virus product with a second anti-virus product makes a certain amount of sense. In particular if you can select an anti-virus product that concentrates on more general malware – such as Malware Bytes.

The free version of which just performs manual scans of the hard disk. But that can sometimes be enough – if you remember to scan it regularly.

Links

For further information :-

  1. Inspired by: the Purdue SpyWare Best Practice Guide.
  2. Microsoft’s page on SpyWare.
  3. The Wikipedia article.
Apr 252012
 

The DNSChanger malware that has been effectively neutralized by the take over of the Estonian servers hosting the rogue DNS servers will have a sting in the tail for those still infected when the servers are switched off on 9 July 2012 – no access to your favourite web sites or any service that requires a DNS lookup – in practice nothing will work.

Forbes  have published a story from the FBI regarding this – note that DNSChanger affects Macs too. Some direct advice from the DNSChanger Working Group (DCWG) is here.

To check whether you are infected, use the DNSChanger Check tool that is linked to from the DCWG – if you are infected then you have until 9 July to disinfect your computer.

Apr 102012
 

Whilst it has always been theoretically possible for Apple’s computers to be infected with viruses, the combination of greater security built into OSX and the larger population base of Windows-based computers has meant that the Apple user has been relatively safe in the past. However this has now changed.

Whilst we may wish to take the advice of an anti-virus vendor with a pinch of salt, it seems that widespread infection of OSX machines is a reality. With upwards of 600,000 OSX machines in one bot army, the problem is still nowhere near as large as Windows users suffer from.

But as advised by Sophos, OSX users need to :-

  1. Apply OSX updates as soon as possible after they are released.
  2. Upgrade unsupported versions of OSX as a matter of priority. If you are running OSX version 10.6 or lower, you should be getting an upgrade now! And if you are still running an Apple with a PowerPC chip inside, it is time for a new machine.
  3. Consider installing an AV product – of course officially you are not allowed to connect a machine to the University network (including wireless and in halls) without AV protection.