Feb 23 2010
The cobbler’s children have no shoes…
How many of you have heard the phrase used in the title? Essentially, it refers to a professional being so busy with work that their own family lacks the very services they provide to others.
I had occasion to reflect on this statement as I worked on my wife’s laptop this weekend. Yes, I am ashamed to admit that my own wife’s computer was infected with malware! You would think a computer security professional’s computers would be safe, right?
My wife loves to play some of the games on Facebook in her spare time. I came up the stairs Friday evening and heard my wife urgently call me over to her desk. She told me she was just playing a game when suddenly the browser closed down and a pop-up appeared saying her system was infected with malware.
My wife doesn’t pretend to be very technical – that’s my job. All she wants of a computer is to turn it on and have it work. So after explaining the problem, she left me to deal with cleaning it up. The culprit appeared to be a version of of the “scareware” I wrote about a couple of months back. This is software that claims to be an anti-malware package, claims to have found lots of viruses, etc, and asks you to pay for the product to “clean” the malware it “finds”. This was a particularly nasty variety called Vista Anti-Spyware 2010. In addition to the annoying pop-ups that appeared, this product deleted Windows Defender (the Microsoft anti-spyware product), turned off AVG antivirus, and replaced the Windows firewall with itself. It also made changes to the registry so that even if you managed to find the process and stop it, it would re-launch when you started any other program.
The first thing I did was to disconnect the system from the network. I had no idea if the malware contained a keylogger or trojan designed to “call home” and send any personal information it found. Then I tried to install different anti-virus products to clean up the infection, but the malware recognized the programs and refused to allow them to install.
To resolve the problem, I finally had to boot into the Windows boot menu (press the F8 key during the boot process before the Windows splash screen) and run the Windows Repair option. From there, I went into the System Restore menu. I was able to see, based on the restore points, exactly when the malware had installed itself. I selected a restore point prior to that event, and restored all of the files and the registry. At that point, I was able to scan the system with anti-malware software and clean up any remnants. However, I did not change the AV software I was using or make any other changes to the system.
All’s well that ends well, right? Not so fast. Saturday, my wife went right back to playing her games on Facebook. Within an hour, she was calling me upstairs again. Same problem, same symptoms, only this time the pop-ups said “Vista Anti-Virus 2010″. (The game she was playing on Facebook was new to her, so I advised her not to play that game any more.) I went through the entire clean-up process again, but this time, I went a little further. First, I scanned the system with 2 AV and 3 AS products that were run from a USB drive (no installation necessary). Next, I changed my AV from AVG to Avast; I installed Malwarebytes Anti-Malware; and I installed a host-based intrusion prevention system (HIPS) called ThreatFire. A HIPS looks for any process that is trying to make changes to your system (such as uninstalling your AV or replacing the firewall) and will block any such actions and notify you. My next step will be to install a 3rd party personal firewall package, probably Sunbelt Personal Firewall.
The moral of the story? Well, first is that anyone can become complacent about security. I tend to keep my own computers up to date with security software, but had not been as diligent with my wife’s laptop. I paid for that with many hours of my free time this weekend, but it could have been worse.
Second, don’t assume that there is a “silver bullet” to preventing malware. I had an AV product and an anti-spyware product on her computer. However, because the malware was attached to a program she willingly allowed to run (the game), it was able to bypass those protections and infect the system. Now, in addition to the AV and AS software, I have included HIPS and a 3rd party firewall sofware to the layers of defense on her computer. While even this is not fool-proof, I have made it much more difficult for anything to infect our systems.
And now my wife can just turn on her laptop and have it work again. She’s happy, so I ‘m happy.