Showing posts with label malware. Show all posts
Showing posts with label malware. Show all posts

Monday, August 3, 2009

If you can read this, thank a philosophy major

A Windows box in the house recently had a nasty case of the scareware, one of those fake virus removal thingies that pops up all kinds of frightening messages about how your computer is infected and you need to act now because, well, if your computer is acting like some rogue program has taken over, the only sensible thing to do is follow that program's instructions to remove the threat, right?

Sigh.

It's not just some web site gone amok. This thing has installed itself in the start menu. Shutting down the browser does no good. Rebooting does no good. Big-name virus checker is up-to-date, but says the computer is still vulnerable to intrusion. Offers a handy "fix" button for that. Which does nothing.

Sigh.

So, shut down the machine and go googling. A bunch of people are recommending roughly the same thing: download XYZ removal tool (a couple of people advise using some sort of "remove me" feature that the scareware authors have thoughtfully provided -- yep). One of the major publications appears to have given XYZ a good review. I visit the publication's site -- directly, not through a link, of course -- and the review seems to be there. So I go to the XYZ site. Um, is there an SSL certificate on this download site? Um, no. For that matter, was there one on the major publication's site? Um, no.

Sigh.

Further down the list of hits, a couple of sites have instructions for manual removal: delete a suspicious-looking entry from the Windows registry. Delete some files that don't look like they belong there anyway. Fortunately, this isn't one of those "delete *.dll from your SYSTEM32 folder and everything will be fine" scams. So I restart the machine in "safe mode", fire up regedit, delete the files in question, alias a few useless-looking sites to 127.0.0.1 for good measure and reboot.

Problem solved. Unless it only looks like it's solved.

Sigh.

You know what really bothers me here? It's not the annoyance of the malware itself. It's the epistomological nightmare that ensues. How would I know that that download site was legit? Probably it was, but you'd think a security software provider would think to buy a certificate. But even if they had, how sure could I be?

What makes me think the manual removal instructions were legit (besides a rudimentary knowledge of how Windows works and the fact that the annoyance seemed to stop)? Do I know that the malware is really gone and not just gone into stealth mode? Was it a decoy for something else? Do I cut the red wire or the blue one?

Who knows?

Who wrote the malware? The straightforward theory is a bunch of criminals just trying to harvest credit card numbers. The sneakier theory would be the upstart security provider with the removal tool. Subtheory A: They're just trying to steal market share from the big guys. Subtheory B: They're distributing malware themselves, disguised as a removal tool for a fake removal tool. Clever, what?

But I say it was a philosopher. Somewhere in the basement of some liberal arts department, a bitter post-doc is howling with laughter as all the computer geeks that went on to lucrative engineering jobs get what's coming to them.

Well played, sir or madam.

Tuesday, March 31, 2009

Not very much about Conficker.c

Having caught the Sixty Minutes episode in which LeBron James sinks a one-handed underhand shot from the opposite free-throw line -- in one take, no less -- I couldn't help also noticing a piece about the Conficker worm. Well, actually it was an advertisement for Symantec in which a spokesman showed how malware in general could do all kinds of scary things, just like it always has, but you could use Symantec to protect yourself. No mention of, say, Kaspersky or McAfee.

OK, so do the Windows boxes have this thing or not? There are several ways to find out. US Cert, for example, recommends checking for connectivity to several sites. Microsoft has its own page.

Now, useful as these tips are, any of them just represents someone's best guess. Granted, it's a bunch of smart and experienced someones, but still, there's always the chance that the worm's authors have found some way to decoy around this. Even if not, there are many, many infected systems out there and no one really knows what if anything they'll do when the worm kicks into high gear, oh, right about now. As I've said, one of these days something out there is going to do serious damage. This might be it, or it might be another damp squib.

The thing that struck me, though, was that none of the sites I've seen mentioned to check or to download a scanner from start with https://. So here's hoping that no one is monkeying around with DNS while all this is going on.

Grumpily yours ...