Category Archives: Malware

Am I about to download a virus? (Part 1)

There are lots of good, useful things you can download from the Internet for free. Unfortunately, there are also a lot of things that will harm your PC, pop-up fake warnings, mess with your search results, and so on.

How do you tell a good download from a bad one?

The same applies to e-mail attachments – how do you tell a safe attachment from a dangerous one? Continue reading Am I about to download a virus? (Part 1)

Windows 8 and anti-virus programs

Every PC needs an anti-virus program, but Windows 8 (and Windows 8.1) users don’t need to buy one.

Windows 8 has a built-in product called “Windows Defender” which provides basic anti-virus protection.

Defender screenshot
Built in to Windows 8

You’ll probably be urged to buy McAfee or Norton if you buy your Windows 8 PC from PC World, but it’s not necessary.

If you install Norton or McAfee (or most other anti-virus programs), they will just disable Windows Defender.

If you then uninstall Norton of McAfee, make sure they (or you) have re-enabled Windows Defender.  Go to Control PanelSystem and SecurityAction Center

You can run MalwareBytes  alongside Windows Defender. The paid-for version is an excellent way to suppement the capabilities of Windows Defender (and does a much better job, in my experience, than Norton or McAfee).

How do people get their PC infected with viruses?

Usually, bad things on your PC these days aren’t technically viruses, they are trojan horses, worms, adware, key loggers, search hijackers and so on. Generically we call bad things that you don’t want on your PC “malware“.

Get one item of malware, and it will install others. Look at the dates.
Get one item of malware, and it will install others. Look at the dates.

Most infected users have in fact downloaded the malware themselves, and clicked “OK” on lots of boxes in the process. They do this because the malware installer claims to be something useful (it’s lying). Often people download things that claims to be a Security Scanner, a Registry Cleaner, a Speed Maximiser, a PC Tune-up Manager, a Driver Updater, or a utility that claims to Fix Unreadable Files or Fix Download Problem (or they leave a box ticked that offers a “free download” of something apparently useful. Virtually all of these fake products are downloaded from professional-looking and convincing sites … judging a site by how professional it looks is always unwise. Malware distributors make enough money to be able to afford excellent websites! (Even if these things did what they claimed and didn’t also install malware, they would be pointless. They sound technical and important, but they’re not. For 99 percent of users, registries don’t need cleaning, drivers don’t need updating, and so on.

Too good to be true?
Too good to be true?

If your PC is slow, a few simple things you can do yourself will be much more effective that any spurious “PC Tune Up” program.

Some good advice from reputable sources:
The Guardian newspaper 1
The Guardian newspaper 2

The Telegrapgh newspaper
WikiHow website

Another thing to watch out for is where you download legitimate software from. The thing you want (iTunes, VLC, Microsoft Security Essentials, Flash Player) may be legitimate and useful, but are you getting it from the right place? Getting it from the wrong place may mean you download something undesirable as well. Do your research before you download.

iTunes is made by Apple, and can be downloaded (free) from the Apple website. This isn't the Apple website!
iTunes is made by Apple, and can be downloaded (free) from the Apple website. This isn’t the Apple website!

And finally, watch out for adverts that look like warnings, and unusual search engines that may look like Google. Don’t trust what they are telling you, especially if they want you to download something.

That's an advert, not a warning or error message. And the search site isn't Google.
That’s an advert, not a warning or error message. And the search site isn’t Google.

Good luck out there – keep your wits about you!

New for 2011

Looking back over the last year, some things have changed in the world of PCs, but many problems remain pretty much the same!

Malware — viruses, trojans, spyware and the like — continues to be a big problem. I still see a lot of PCs infected with various trojans designed steal information or money from the unwary. The writers of this stuff are very professional, so I assume there is big money behind it.  The most common still seem to be the sort that tells you that tour PC is “at risk”and invites you to download some software to cure it. Invariably the software “finds” lots of things that aren’t really there, and then invited you to register if for about $49.95 to enable it to remove them.  If you ignore it, it will get ever more persistent, until the PC becomes unusable.

Sometimes these types of software claim to find viruses or other infections, sometime “memry problems”, “registry errors” and so on.  Of course, there are quite genuine and very useful products that do all these tasks, so it’s hard for the normal person to tell the genuine and useful from the fake and harmful. Sometime these fake products every have professional-looking websites (but almost always without traceable addresses or contact details).

An example of a fake product is here.

A simple tip: before you download any software, search for its name on Google.  Ignore any sponsored links, and if almost all you find in the search results is people asking how to remove the product, and reputable sites (such as bleepingcomputer.com and techguy.com) offering removal instructions, then tread very carefully!

A new development in 2010: three of my customers who had infected PCs received a phone call to the home numbers from the “Windows Support Group” telling them their PC was infected and offering to remove the infection at a price. It wasn’t clear how their phone number had been obtained (all had their phone numbers in at least one document on their PC, though), who the caller was or who he represented, or how much this “service” would cost. Very suspicious indeed.

Everyone should have a good and up-to-date antivirus program. Two good ones (both free) are the free versions of AVG 2011 from here or (my current favourite) Microsoft Security Essentials from here.

Happy new year to all.

“Pics for MSN friends”

I’ve had a couple of MSN messages recently which consist simply of a link.  On going to the link, I see something like this:

scr

I suspect my MSN friends fell for this scam; once they have told the site their MSN username and password, it can impersonate them and send messages to their friends — me in this case.

Anyone who has fallen for this scam should immediately change their MSN password. See instructions on the MSN website here.

This scam has been around for a long time in different guises. Sometimes it says you have won a prize (typically a free iPod or a free iPhone) and you should type in your username and password to “validate your identity” and claim your prize.

Never type your username and password into a website you don’t know!

Viral Spam

I’m seeing a lot of spam today with titles like Customs – We have received a parcel for you or Customs, please read. There was a lot yesterday about undelivered parcels from UPS.

These have a zipped attachment which is infected with a virus. Typical text of the e-mail is:

Good day,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Grover Sterling
Your Customs Service

or

Dear Sirs,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Casey Rhoades
Your Customs Service

The giveaway, as always, is that they are not addressed to you by name, and they come from unlikely e-mail addresses (typically harvested from infected computers). The two above came from Customs Service <lvsgjjo@bluegrassgroup.com> and Customs Service <cwq@blmbuilders.com> but each one will be different.

At the time of writing, these were not detected as malicious by AVG 8.0 (and nor by Symantec, Norton, McAfee, Avast, Ewido, F-Prot, Kaspersky or Panda). Just delete them.

If you have run the attachment (by double-clicking the contents of the zip file, typically) you’ll soon start getting warnings that “Your computer is infected” and inviting you to download software to clear it. The warnings are part of the infection, and the software it wants you to download will makes matters much worse. Don’t download anything, and contact someone who can help you remove the infection.

PS: I’m seeing a lot of fake airline ticket sales today (20 August). They typically start:

Hello,
Thank you for using our new service “Buy flight ticket Online” on our website.
Your account has been created:

and then go on to give login details for a website whose address is not stated (!) and say your credit card has been charged for some amount (usually about $650). A “ticket” is attached.

The usual things give it away: not addressed to a specific person; dodgy attachment (this one is called Ticket_N141-SK.zip and contains a file called Ticket_N141-SK.exe — a file ending in .exe is a program, and this one is instantly detected by AVG 8.0 as containing trojan Pakes.AFL).

Be careful not to run Ticket_N141-SK.exe, and just delete the e-mail and its attachment.

(Aug 23)  Sophos reports yet another variant, “Statement of Fees 2008/09”, whose attachment is sneakily named “Fees_2008-2009.doc______________.exe”.   They hope you’ll think it’s a Word document (.doc) not a program (.exe).   As Sophos says, “Don’t let curiosity get the better of you – don’t open the attachment if you didn’t order the package, or the tickets, or the contract, or the accommodation … or whatever else they’ll come up with next.”

“Phishing” scams

One of the things to watch out for in your e-mail is the notorious “phishing spam”: this is spam that tries to get you to log in to your online bank or similar. The aim is to direct you to a fake web site which will look exactly like your real bank and invite you to type in your security details. Once you type in your details, of course, you’ve given them to the spammer, not the bank, and they will then be used to drain money from your account.

Phishing attempts are pretty easy to detect with a minimum of knowledge. There’s no point in checking who the e-mail seems to be from — it’s perfectly simple to send e-mail that looks like it comes from whoever you choose. Three danger signs to check for:

1. Not addressed to you personally. My bank would always write to “Dear Paul Doherty” or “Dear Mr Doherty”, and would also include my postcode, account number or some other information not given in my e-mail address. Spammers only have your e-mail address, so they invariably write to “Dear Customer” or similar, or to no-one at all.

2. Poor English. Most phishing spammers aren’t English, so they write it with a phrase book, and it usually shows.

3. Link in the e-mail is misleading. You need a little knowledge to check this, but it’s the clincher. The spammer will want to make any link look as if it goes to the bank, but really it must go to an imitation website.

One thing everyone should know is how to check what website a link really goes to, and how to decode a website address.

Different e-mail programs show the real place a link goes to in different ways: find out how yours does it. Mine does it if I just hover the mouse over the link. Check that address carefully — even if it looks like it goes to barclays.co.uk, a common trick is to register a fake website with a similar name: nationvide instead of nationwide, paypa1 instead of paypal, RB0S instead of RBOS.

Mostly, though, spammers just rely on people not being able to work out what website is being referred to. Here’s how to check it: starting from the left and just after http://, scan to the right until you find another slash (/) – stop there. If the bit immediately to the left of that has three letters (typically .com) that and the word immediately before it is the (international) website address. If if has two letters (typically .cn or .ru) that and the two words before it is the (national) website address. (.cn is China and .ru is Russia.) And If there are no words, just numbers, it’s suspicious by definition.

Here’s three recent examples (click to enlarge).

Abbey phishing spam

1. Addressed to generic name.

2. Suspect English (“launch the procedure of the member login update”, “does apologize for any inconvenience caused to you and is very grateful for your help”) and too many exclamation marks.

3. Link is actually to website xml48.com — the “ref” probably identifies the e-mail address that fell for this trick, so that it can be targeted with more attacks, which is why I’ve obscured it.

4. Why would a genuine bank write “If you are not a client of Abbey National Internet Banking please ignore this letter!” – it would know who its customers were.


Paypal Phishing spamp

1. It’s addressed to generic “Dear PayPal user”.

2. The English is OK on this one (but it says “Us” instead of “Contact Us”).

3. The website is 193.254.185.39 — all numbers, no words, very suspicious. (And, if you know, ~engelbert is the directory of a user called Engelbert — probably someone whose account has been hacked by the spammer and used to host the fake site).

4. There is no “To” address.


RBS phishing spam

1. Not addressed to anyone specific.

2. Suspect English (“As of that result”)

3. Website is novacom.zaural.ru — a Russian site.


Fake anti-virus programs

This is an old post from 2008, but it’s still very relevant. The screenshots are out of date, but they give the idea.

Sadly, there’s more fake anti-malware programs out there than there are real ones. (Malware is a general term for viruses, trojans, spyware, and so on.) Often a small infection sneaks on to your PC (usually because you’ve clicked unwisely on an e-mail message or downloaded something unfortunate from a website). This infection then starts popping up messages that look like Windows is warning you that your PC is infected, and inviting you to download something to scan it and remove the infection. This often looks like it might be from Microsoft.

If you download the advertised software — because that’s what this is, sneaky advertising — it will make matters much worse. The software will probably invite you to send money or enter credit card details, it will pretend to find lots of infections that you don’t really have, and it will probably add more infections.

Here’s some screenshots of a common one (courtesy of Bleeping Computer). Click on any picture for a bigger image:

Antivirus Xp

Screenshot

Screenshot

Screenshot

This sort of thing is, sadly, very common. If you think your PC is infected, you should take professional advice unless you are quite sure you know what you’re doing. Downloading stuff like this will make matters worse, not better. With the right knowledge and tools, however, this sort of thing is usually pretty straightforward to remove.

There’s a list of rogue sites and software here, but it’s now more than a year out of date. It will give you some idea of how many fake sites there are, and how much fake software there is, however. This one has a website:

website

website

The website is hosted on a computer in China, and registered to a — probably fake — company (Goya Interco LLC) with a claimed address in Finland. The domain was registered on 17 June 2008. The website is superficially convincing, but there are some tell-tale features:

  • Spelling mistakes: establishement, 100’000, realiable
  • Slightly curious English and grammar
  • Unfeasible claims: “Since its first establishement in 2001, antivirusxp2008 …”
  • No company name, address or contact details (all contact is by filling in a web form — no e-mail addresses or telephone numbers are given).

It looks good though, and is a good reason why you should not judge by appearances.

A very similar fake removal program is analysed here.