Sunday, February 20, 2011

"We Interrupt This Broadcast--"

Update: As predicted in comments, it's still infected. Ordered an external optical drive and I guess I will have to mindwipe the poor thing and start over. (Salvaged a bunch of IWOAS text files but that thumb drive needs looked at now, just in case. Malwarebytes claims it is clean).

Or this blog; last night, I started my "Top Shot" post on my little Eee but had to finish it on my desktop, and that after running spyware/malware scans: the Eee had a trojan, an especially annoying and nasty one, and I am not sure how I got it.

Initially, it wouldn't boot up at all and I supposed the hard drive had died; but the hidden reset button got it to boot up, my browser launched okay but then opened another tab and once I'd closed that -- chaos! Screen after screen of nearly-plausible warnings; the giveaway was their persistence and the long list of supposed risks, threats and "stealth intrusions" reported.

Removing the trojan took some time and effort and I am giving serious thought to keeping the wireless LAN off; my main use for the Eee netbook is to write fiction and I darned near lost tens of thousands of words I hadn't backed up. Had to change a bunch of passwords, too.

...And today will be "install more protection day." Oh, the fun.


Tango Juliet said...

Bummer! Bet it arrived via "The Hidden Frontier." :)

Tam said...

It has nothing to do with the wireless LAN.

Shootin' Buddy's home machine has it too.

Joseph said...

Hope you have been able to clean up your machine without damage. Just don't forget to back up; I like reading your stuff and don't want to miss any of it!

WV: Foonis

Roberta X said...

Tam: if you don't connect the machine to a network, hand-carried media is the only way it picks up ickies.

Back when I was very, very young, a guy I consider one of the smartest people I know was tasked with computer security at a smallish software company. After a month of study, he concluded the only way to be safe was to totally isolate the company's system. --And even that was only as good as the discipline of the users to never, ever move files from the machines that talked to the outside world to the "clean" system.... His bosses were vexed (they wanted the Moon and they wanted it NOW!) but he was right.

Tam said...

Yes, I know that.

I misread your post.

Data Viking said...

I have had my son's box infected via drive-by download initiated from a Flash video hosted on a browser page viewed with FireFox. After that, Flash is no longer allowed to store anything locally on his machine. Be aware this does have a downside as a few flash video sites require the ability to locally store third-party content such as Comedy Central and MTV.

Flash Player Settings Manager.

Secunia Vulnerability Scanner can be used to help keep your browsers and plugins up to date. It comes in two flavors, one which is hosted in the browser and one which is installed and runs your machine. The second one is the more comprehensive of the two.

I have a Kanguru write protectable USB thumb drive that I keep all sorts of tools to help prevent / remove such things. The write protect is important to prevent my uninfector media from itself being infected.

These days my toolbox contains Malware Bytes Anti Malware, LavaSoft AdAware, SpyBot Search and Destroy, a clean default HOSTS file to help restore broken network connectivity to online malware scanners, a number of SysInternals' tools such as ProcessExplorer, TCPView and RootkitRevealer, CCleaner (and RegScrubXP if still running Windows XP {no longer available directly from the original source but I have a original clean copy if you want one}) to help fix any broken registry entries, WinPatrol to keep an eye on things after the clean up, and Zone Alarm to help keep things from getting in when they shouldn't, just to name a few.

Comodo Personal Firewall also gets good reviews as an alternative to Zone Alarm and is currently not quite as 'naggy' as Zone Alarm is becoming.

MicroSoft Security Essentials gets good reviews overall and it is just a free download away.

I do not have any personal knowledge of either the Comodo product or the MSE.

I do not recommend solely using the Windows built-in firewall as it only keeps certain network traffic from getting in and does not block ports such as 135 and 445 which historically a number of malwares have used both to infect and to spread and does nothing at all to prevent outbound traffic once infected.

I also use an extensive HOSTS file available here to help keep the known bad actors from from even reaching my machine. This can be a mixed bag for you as it also is used to block known advertising sites and usage tracking such as is done by google-analytics, et. al.

I have also used the registry editor to disable AutoRun capability from all removable media including CD/DVD.

I hope some of this is useful to you. Good Luck.

Eck! said...

I've taken the other path. All my Eee netbooks run Linux, that eliminates hours of trying to secure the winders
leaky security.

As someone that has in the past done the IT/Security thing winders is just a PITA. I got out of winders security wars as it was it was just pain and more days of pain.


Ian Argent said...

One of the most maligned features of Win Vista (and consequently weakened in Win7 - if you have Win7, set the UAC slider all the way to the top) was the UAC mechanism. I never understood why - other than people hate to be secure.

It ain't perfect, but it's another line of defense. At this point, I simply wouldn't expose a WinXP machine to the internet; too many known exploits, too many people who are looking to add another zombie to their ever-growing army of the undead. If I *had* to, I'd use a non-IE browser with all the bells and whistles turned off, behind a hardware firewall, from a non-admin account, with a sign saying "beware of the leopard" on the door. After backing up.

Microsoft appears to have gotten the security religion in the past few years, but they have an unfortunate responsibility to the installed base that means they have to set their security vs usability slider a little looser than I would.

DaddyBear said...

There will probably be vestigial parts of the trojan on the system. Save your hopefully clean files off to media, nuke the hard drive from orbit and re-install. I'd consider dual booting Windows with Linux. Sad to say this, but no matter what you run, there is always a risk, even with Linux. It's just so much easier with MS OS's than others.

wolfwalker said...

Um, excuse me Ian, but:

At this point, I simply wouldn't expose a WinXP machine to the internet;

Both my desktop machines, primary and secondary, run WinXP. Both spend most of their time connected to the Net. I keep them patched, run a software firewall and malware scanner (ZoneAlarm), and periodically scan both with MalwareBytes. No wireless, and my router is set to block incoming pings. This hasn't changed in more than five years. In all that time I've only had one problem with malware, and then it was a case of PEBKAC.

Security is more a user issue than a machine issue. You can make an XP machine secure if you try hard enough and remember the Predator Rule: the antelope doesn't have to be faster than the lion, he just has to be faster than at least one other antelope.

Ian Argent said...

I can't say all my XP machines are off the internet. But I don't expose them any more than I have to. And I load SP3 via offline installer before I put any XP machine up.

I like MS OS, but they are a big target. As far as I know, I have never had a malware attack, by being moderately careful. But that doesn't change the inherently insecure user model of XP.

Exodus said...

You've probably heard this a brazillion times, but today's linux distros are useable, viable Windows replacements.

After my Dad virused his computer to death one too many times, I bought him a new computer and installed Ubuntu on it. Problem solved - permanently. He's 65 and cranky and knows nothing about computers and uses the heck out of Ubuntu.

You can set it up as a dual boot, too - very easily.

Disclaimer - I work at Red Hat. :)