Category Archives: Malware
More Time to Clean TDSS/Alureon as FBI Orders Extension for Clean DNS Changer Servers
The DNS Changer Working Group (DCWG) has been ordered to extend activities in providing clean DNS servers to replace malicious servers that were used to further infect machines with malware and fake software products.
The Internet runs on dotted decimal addresses, but human beings remember words easier than huge numbers. So, the Domain Name Services tree was established to publish a translation from domain names to the dotted decimal addresses that computers understand. For example, while you might type “www.johndscomputers.com” into the address bar of a browser, it is sent to a nameserver which will translate it into 216.239.131.9.
iDevice Manager (was iPhone Explorer) Installs MySearch/Incredibar Crapware
I’m a little P-O’ed. The worst thing about shareware used to be the risk of getting nagware. It would nag you to death until you coughed up whatever their fee was.
Nowadays, though, the biggest danger is the slipping in of crapware, in particular toolbars that do little more than slow your computer down, track your browsing and serve you up ads. It’s an annoying practice, even if the little addition is a legitimate program. However, to install real unwanted crapware and not even prompt you if you want to install it or not is inexcusable.
It is puzzling in particular when donationware does this. Now, I have donated to some very useful program sources in the past, even when I thought the promoting of giving donations was a little pushy (although it does make me more likely to really drag my feet first, because I get suspicious when it’s too pushy). I mean, if you really need the money that bad, why not make it shareware and have people pay for what the program really does?
Well, unfortunately, it seems that even potentially useful utilities like iDevice Manager from Marx Softwareentwicklung, www.software4u.de, fall victim to stupid practices that just piss people off. I thought it was a fluke the time before last, but it happened again during an update. My default search was changed to the Incredibar BS and installed the MySearch malware without asking me. If you uninstall it from the Programs control panel, it will only uninstall the IE toolbar. Your home page and default searches for all of your browsers, though, are still set to the Incredibar nonsense. You have to clean it out of all of your browsers and reset their home pages (although, System Restore might do that for you as well if it is recent).
Seriously, stuff like this should be prosecutable in a court of law. I’m putting the word out to anyone who will listen to avoid iDevice Manager like the plague.
Oh, and as to a donation? You’ve got to be doing drugs! Now that I’ve written my review, I’m removing it ASAP.
Resetting TCP/IP in Windows XP Sometimes Doesn’t Work After Rootkit Malware
Microsoft has KB article 299357 that supposedly assists in resetting your Windows XP TCP/IP network settings back “to its original state”. I assume under normal circumstances that it works correctly, but after a malware attack, it may or may not work, it seems.
As a background, there are rootkits out there that will infect the TCP/IP stack. However, TDSSKiller from Kaspersky, which is good at detecting a lot of rootkits, does not find all of them. In addition, Surfright’s Hitman Pro, which usually catches what others might miss, does not detect it either. Combofix was able to detect the infection, but DHCP would still not work on the client. Instead, it sat there saying “Acquiring network address”.
New Sneaky Brazilian Banking Trojan
SecurityNewsDaily posted that a Brazilian Banking Trojan Poses as Microsoft Anti-Malware Tool. This sounds particularly sneaky, as it momentarily replaces the boot loader long enough to infect the system and then sets it back in order to avoid detection.
It just proves that older methods of spoofing users into getting infected still work sometimes, and email even after all this time is only slightly safer than normal web surfing (perhaps even worse).
21 Search Engines Homepage Hijack
I’m going to set aside the usual Friday stuff because I’m really surprised to not be able to find a lot of information on this particular issue. I want to get it out there, because I’m starting to see this with increasing frequency. The user, somehow, someway, gets their homepage changed to “21 Search Engines” without them knowing it. Whenever this occurs, additional spyware/adware is found on the system.
Now, which came first, the chicken or the egg? I do not know, but if you find yourself in this situation, it is advised that you:
Threat Definitions by Panda Security
When cleaning a virus or other malware, one of the frustrating things about figuring out additional security measures is classifying the malware so you know what measures are needed. For instance, you don’t necessarily want a customer to change all of their online passwords unless there is a very real threat (well, you may want to for other reasons, but there needs to be a balance in regards to how much you inconvenience a paying customer).
There are pretty good malware definitions, as well as how to clean them, on the Geeks To Go! forum “Malware Removal Guides and Tutorials” and the similar Bleepingcomputer.com forum somewhat misnamed as simply “Spyware Removal”. However, these types of forums have the disadvantage of being staffed primarily by volunteers. So, virus and malware definitions might not be as up to date as one would like. Also, different vendors call malware by different names, which can be a real headache when trying to translate a name from what one vendor calls it to whatever the equivalent might be by a different vendor. Sometimes, you’re better off just using Google if you know a virus name.
‘Black Friday’ iTunes Scam
The Telegraph reports on a “‘Black Friday’ iTunes credit scam” being sent via a zip attachment in an email claiming to be a gift.
Anatomy of a Computer Virus
One thing that popped on my radar via StumbleUpon was a link to “Short Film of the Day: Stuxnet: Anatomy of a Computer Virus”. It’s an unusual “film” in that it is more like a PowerPoint Presentation with a voice over rather than a film. It documents Stuxnet, which has the ability to shut down computers that control nuclear power plants, electrical grids and the like. It’s a bit unnerving when you think about it, although it isn’t clear if some of the facts aren’t a little hyped or not.
Detecting Malware and Removing It
It is difficult to capture in short steps how to detect and remove computer infections of malware, but SecurityNewsDaily does a pretty decent job in “6 Signs Your Computer Has Been Infected … and 4 Ways to Fix It”.
One thing I cannot stress enough is to back everything up by booting from a CD (to minimize spreading the infection) by using something like the free Clonezilla or the more user friendly (but still reasonably priced) Acronis True Image Home. Otherwise, you might end up in even worse shape because you cannot boot your computer.
However, I think that with the increasingly complex viruses and other trojans and malware out there, everything they list may not remove infections in a significant portion of cases. That’s why a more comprehensive resource like Bleeping Computer’s Spyware Removal guide section is so important.
At the end of the day, however, many users would prefer to bring their computer to a professional, such as <ahem> John D’s Computer Services. If you mention this blog article before 28 September 2011, you can get a malware cleaning for the old price of $75.00, which is only about 60% of the price of some of the brick and mortar guys!
