How Did I Get A Virus? *_* How to recognize and prevent viruses, malware and on-line scams at home and in the workplace. Presented by : Miguel Fra, Falcon IT Services (
[email protected]) http://www.falconitservices.com Dial In Conference: (305) 433-6663 Option 4 PIN # 080814 For video follow-along go to www.falconitservices.com and click on the remote support icon, then enter invitation code : Malware If you have a group of 10 or more people, please contact me to have this presentation given at your place of business (2 weeks prior notice please). Sources:Wikipedia,OnGuardOnline.gov
What Is Malware?
Malware is any software that is used to disrupt computer operations, gather sensitive information or gain access to private computer systems. Malware is a term used to collectively describe viruses, worms, Trojan horses, ransom ware, spyware, adware and scare ware.
Definitions
There are many types of malware and many more will be invented in the future. The right columns describe some of the most common types of malware that are in use today.
Viruses are malware that attach themselves to other files and/or programs, can replicate themselves and usually cause harm to the infected host system and/or user. A worm is a type of virus that spreads itself through the Internet, infecting other computers. A Trojan horse is a type of virus that is installed by tricking the user into thinking that it is installing another type of program. Ransom ware is a type of virus that encrypts files on a user’s PC and/or network shares and then demands a ransom in order to unlock the files. Spyware is a type of software that gathers private/personal information for nefarious use. Adware is a type of software that presents infected computers with advertising banners, pop-ups and/or skews search results. Scareware is a type of malware usually with little or no benefit, that uses fear, anxiety and the perception of threat in order to sell unnecessary products to unsuspecting users. Gridware is a program that uses your computer as one of many interconnected nodes used to collectively process large volumes of information.
Is Malware Legal?
Some types of malware are perfectly legal. As long as their intent is stated in the terms and conditions and you agree to them, there is no wrongdoing.
Many anti-malware developers have been sued by malware creators. This is why some malware programs appear as ‘PUPs’ or Potentially Unwanted Programs. The antimalware will not remove or quarantine them.
Virus Myths Debunked
I can’t get a virus, I have anti-virus! I have a Mac/Linux, they don’t get viruses. But I haven’t been anywhere I should not go. This computer is only 3 months old! There is nothing wrong with my computer, how can I be infected? I don’t open any attachments or install programs!
Drive By Infections
A ‘drive by’ refers to being infected by simply browsing an infected Web site. These types of infections rely on exploits to infect computers. Keep your operating systems up to date. Keep your browsers up to date. Use Firefox instead of Internet Explorer if possible. Install Microsoft EMET on your PC to prevent exploits.
E-Mail
Don’t open attachments, especially ZIP and RAR files. Even when you receive an attachment from a familiar source, call them and verify that they sent the attachment. Look for E-mail with attachments that are out of context (businessmeetings.pdf from your child instead of from your boss). Don’t follow E-Mail links or click on links. View everything with suspicion.
Avoid Being Phished! •
• • • • • •
Phishing is an attempt to acquire sensitive information by masquerading as a trustworthy entity. Phishing can come in the form of emails, postal mail and social media. Beware of e-mails that are out of context. Don’t open files from chat, e-mail or social media transfers. Be weary of zip files in e-mail. Be weary of e-mails from UPS, Fedex, IRS, Banks, Credit Cards Risky attachment file types: ZIP, RAR, EXE, PIF, BAT, VBS, COM
Anatomy of a Typical Phishing E-Mail
• • •
• • •
Look for grammatical errors and misspelled words. Check the sender’s E-Mail address for a match. Look for generalized salutations (i.e. dear customer). Real providers usually know your full name and will include it in their e-mail. Hover over links to see if the linked URL matched the hyperlink. Watch our for scare tactics! Look out for requests to visit a password reset or login site that you have not requested.
Anatomy of a Phishing site Look at the URL carefully and make sure it matches. The real URL is highlighted in black. Type in the URL yourself, don’t follow links!
Look for spelling and grammatical errors in Web sites. Look for inconsistencies, broken links and broken image links. Look for HTTPS as well as a secure site certificate that is valid.
Phishing is not Just E-Mail Based. Phishing Sites are Indexed on many Search Engines This site came up when I Google searched the term: Sharp Error 3332. There are several clues that identify this as a malicious site: 1.
2.
3.
4.
5.
When I called the toll free number, the agent requested access to my computer without even asking me who I was. They told me they had to run a utility to test my computer for connection errors. The fix shown here is completely unrelated to the problem. This error is e-mail related error for a Sharp photocopier, nothing to do with Windows. The site has several links to a ‘fix’ and even tried to automatically download a program to my PC as shown at the bottom as soon as I opened the page. When I asked the phone agent the name of their company, they stated they were from ‘Microsoft’. Registry ‘fix’ programs usually are junk ware and will typically cause further complications and problems.
Legitimate Companies Also ‘Phish’ You Into Installing Their Programs. Read Carefully and Take Your Time to Analyze What You Click On, Especially When Surfing or Visiting Non-Trusted Web Sites.
Many legitimate companies bait you with advertisings that are similar in shape, color and appearance to what you are expected to click on. The right arrow shows the X > icons indicating Google AdSense ads. This slide shows a ‘cleaner’ program with a green start button that appears extremely close to the Web site’s start test button. Users who don’t read, are in a hurry or are simply impatient, usually fall prey to these types of advertisements. Before you clock, READ and UNDERSTAND what you are clicking on. In today’s fast paced, instant gratification society, slowing down can lead to better results when it comes to surfing the web.
Scare Ware Scareware can appear in the form of a pop-up and look like a Windows or Anti-Virus alert. Some Scareware screen look a lot like Norton AV, MS Security Essentials or Malwarebytes Anti Malware. You can identify Scareware by the time/situational occurrence and by the level of demagoguery, urgency and other scare tactics it uses to scare users into action. Press ALT+F4 to close the windows. Never click on any part of the graphic image. Press CTRL+ALT+DEL if necessary to avoid clicking on the image.
In the image above, a pop up graphic is made to look line a Windows dialog box. If you click on the Remove Now button, you will be prompted by Windows to grant permission. If you grant access, the malware program will install itself.
Computer Viruses
• Some virus codes are designed to generate profit for their creators. • Some virus codes are designed to seek revenge on behalf of their creators. • Some virus codes are designed to gain their creators notoriety.
Botnet Viruses A botnet virus is a program which is typically dormant until activated from a command and control server. A botnet operator has tens of thousands or even millions of infected computer at his/her disposal that can be used to launch large scan DDOS attacks. Botnet infected computers will slow to a crawl when they are being used to launch attacks on other computer systems. Botnets are used to disrupt large scale corporate networks that fail to pay ransom.
Spyware Viruses Spyware viruses are used to steal information from the infected computer. Disk scan for credit card numbers, social security, e-mail addresses and other information. Spyware can take screenshots or your desktop or from your Webcam. Spyware can log and send out your keystrokes in a text file. Spyware can grant access to view your computer screen and operate your computer. Spies can control your computer using hidden command line sessions.
Cryptographic Viruses / Ransom ware Cryptographic viruses are one of the most dangerous type of viruses. They encrypt your data files and network files and ask you to pay a ransom for their release. Cryptographic viruses can encrypt local data, network shares and folders and even backups. To avoid this fate, keep an off-line backup at all times (tape, disconnected USB drive) Since Cryptographic virus command and control centers are heavily persecuted by FBI/Interpol, you may not be able to recover if the site has been shut down.
Disruptive Viruses Some viruses simply change digits in spreadsheets, accounting programs, etc. The Alcon virus overwrites random information to disk causing damage over time. Some viruses damage your boot sector so that you cannot boot your operating system. The Kama Sutra virus destroyed Excel, Word and PowerPoint documents. CIH Virus tried to write to the BIOS and destroy your PC.
Browser Hijackers Browser hijacker viruses are designed to skew search results and re-direct users to paid search result sites instead of more relevant sites. When caught by anti-malware, they usually have the word ‘search’ in their description. Many are legal because they disclose T&C’s and are shown by AV programs as PUP’s (Potentially Unwanted Programs) and actually show up in your add/remove programs. Some even come preloaded on to consumer grade PC’s! CoolWebSearch is a common example of a browser hijacker.
Trojan Horses Trojan Horse viruses are programs that deceive you into thinking that you are downloading a legitimate program when in fact you are downloading and installing a virus! Beware of ‘searching’ the Internet for freeware or for a computer fixer upper! This is a great way to get a Trojan horse virus. Some Trojan Horse viruses disguise themselves as anti-virus programs and will actually clean your computer of other viruses.
How to Avoid Malware Tips and Tricks to Avoid Becoming Infected
Keeping Viruses in Check When browsing web sites, do not accept requests to install programs or enter credentials when prompted by the UAC. Create a separate nonadministrator account for your every-day computing needs. Only log in to the administrator’s account when you need to make changes to your PC. Make sure you have an update AV and Anti-Malware program. Use a URL filter or parental control to block inappropriate sites as well as known fishing sites. Don’t download an install freeware from random Internet Web sites. Use software from a trusted source.
MalwareBytes is a free anti-malware tool that should be used in conjunction with a good antivirus. A paid versions scans in real time and avoid having to run manual scans periodically. Visit www.malwarebytes.org to download.
Make Sure You Have a Good Anti- Virus Program FortiClient is a free anti-virus program that has built in parental controls. You can download it at www.forticlient.com. Using parental control is one of the biggest factors in preventing viruses. Many viruses originate from Web sites with unscrupulous content (porno, gambling, download, peer-to-peer, bootleg content sites, etc.) Over 30,000 legitimate sites are infected each day. We cautious even when visit known Web sites.
Exception Exploits An exploit is a type of attack that takes advantage of faulty code in programs such as Acrobat, Explorer, Word, etc. An attack fills up the computer’s RAM with malicious code then sends data to the program that the program cannot compute. The program then jumps to a memory address where it expects to find instruction on how to deal with the data (the exception) but instead finds and executes the malicious code. To help prevent exploits, keep your programs and OS up to date and install Microsoft EMET (Enhanced Mitigation Experience Tool) http://support.microsoft.com/kb/2458544
Unified Threat Management If your router supports UTM (Unified Threat Management), enable the UTM features. UTM anti-virus and anti-malware gateway scans all incoming traffic for malware before it gets a chance to enter your network. Enable the URL filter to block known phishing sites, known virus distribution sites and known infected servers. It’s also a good idea to block P2P sites, Proxies and other sites commonly associated with malware infections. Use the UTM’s SMTP filter to block SPAM as well as ZIP, RAR, EXE, COM and SCR files from coming in through your E-Mail.
Sharing with Infected Computers
Don’t share programs or data with users via CD ROM, USB sticks or USB drives. Disable CD/DVD, USB mass storage devices on corporate networks. Never plug in a USB stick, USB Drive or a DVD Burn to your corporate network without explicit permission.
What Should I do If I Suspect Having A Virus? If your computer’s antivirus sounds an alert, please call the helpdesk immediately to have your computer checked out thoroughly. Even if the AV catches the virus, droppers and other malicious programs can remain. If left unchecked, a virus can propagate throughout the network and cause further damage. Please report it immediately. Call (305) 433-6663 option 1 to report a virus find.
Don’t Accept payloads Oftentimes, when downloading programs or performing updates, you may be prompted to install a ‘payload’ program. Do not install the payload program!
The example above shows a fairly innocuous payload. Installing McAfee may interfere with your current anti-virus and cause problems, but there are other more malicious payload bundles with other types of free software.
Common On-Line scams Work At Home: Ads promising steady income to work from home. The catch is that you usually have to pay up front fees or buy courseware and you typically don’t see any income. Weight Loss: Promises for revolutionary pills, diets or exercise that are nothing more than gimmicks. Lottery: E-mail or letter stating that you have won a foreign lottery asking for bank information or up front fees to cover taxes, shipping costs or wire transfer costs. Fake Check: Scams hat answer to on-line posts from EBay, Craig's list, etc. The scammer will show up with a fake cashiers check for a greater amount, claim it’s an error and request the difference in cash. Mystery Shopper: You get hired as a mystery shopper for a bank or wire transfer company such as Western Union. You are given a fake check and asked to go cash it, then send a feedback form along with the money to a specified address. The Nigerian E-mail: An oil magnate in Nigeria has a large amount of money they need to transfer to the US and are seeking assistance in exchange for a percentage.
