Spyware, trojans, and other nasties

Someone has stolen your computer. What is worse you may not have realised. This is the story of life today on the Internet, and how to keep safe.

“Something seems to be wrong with my computer, it is running really slowly. Oh, and we keep getting all these pop up ads for porn and gambling sites every time we try to browse the web”.

All too frequently we receive a ‘phone call like this.

This article is aimed mostly at users of computers running MS Windows. Some of the concepts however will apply regardless of the type of computer you use.

Some History

For years there have been many bits of malevolent software (or “malware”) circulating, a good number of which were computer viruses. While some of these did nasty things to your computer, most were irritations. Today, with help from some anti-virus software, most can be dealt with swiftly. Prior to large scale and popular use of the Internet, viruses were typically propagated by infecting files, that then got passed around on floppy disc, or on Local Area Networks.

Damage

The common theme of many early virus attacks was that of damage. The result of an infection was frequently obvious – your computer stopped working, or files were corrupted or deleted etc. You knew when you had been hit, because damage had been caused. This also meant that you were alerted to the infection and could set about dealing with it.

The world has moved on

The interconnected world has given rise to newer malware threats which vastly speed up the process of infecting computers using the internet, it also provides far more sinister motivations for creating them. With many people and businesses now reliant on their computers and the internet for their day to day work, the opportunities presented to the less than ethical sections of our society to make money from wrongdoing have grown rapidly. Organised crime has moved into the software business!

Rise of the botnet

There is now far more profit to be made by an attacker from gaining the use of your computer without you finding out, certainly more than there ever was in simply causing damage for the sake of it. If someone can co-opt your computer to carry out a criminal act on their behalf, then they will think "so much the better", as it helps cover their tracks. What is more, it can become far more effective if they can get lots of computers working for them.

Lots of malware you encounter these days that has a “backdoor” or remote access capability. This allows a remote and unknown criminal to take control of your computer and direct it to download and execute any software of their choosing.

You computer may not appear to be doing much, but without your consent it may be used to help relay spam messages, carry out extortion or “Denial of Service” attacks, steal you identity, raid you bank or credit card accounts, and generally snoop into all sorts of areas of your life!

Collections of hundreds of thousands of computers compromised in this way and controlled remotely are called “botnets”. The “owners” of these botnets will even trade the services of “their” computers on the open market!

How does my computer get compromised?

A multitude of ways:

The classic scenario is when you open an attachment on an email only to find out that it is not what you thought. Alas it is not always that simple. Just looking at the wrong email can be enough in some cases!

You download a useful sounding program only to find that other undesirable applications (the Trojan or Trojan Horse) are included with it.

You visit a web page (either by intention or accident) that has been specifically constructed to exploit a security flaw in the software you may be using.

You install software that claims to detect and remove spyware! Sadly the vast majority of spyware detection programs now available are nothing of the sort! The creators of these applications have now realised that public awareness of the subject is growing, and are using it to dupe people into installing software that in many cases is itself spyware, and some times significantly worse.

How will I know?

You may see some or all of the following:

  • Your computer may start feeling very slow and unresponsive.
  • Internet access will get ever slower.
    You get bombarded with pop-up adverts every time you visit a web site, and they don’t even seem to be related to the site you are visiting.
  • You web browser may have changed its start page (and resist attempts to reset it to the one you want).
  • You may see lots of traffic flowing over your Internet connection even though you are not causing it yourself.
  • Every time you mis-type a web address you find yourself at an unexpected search page that seems to offer lots of links to gambling and porn sites, plus offers of software to help clear spyware from your computer!
  • Your anti-virus program or firewall may stop working, you may find each time you restart them they stop shortly afterwards.
  • You may not be able to launch the command prompt or task manager on your computer without them closing themselves.
  • You spot unusual programs running on your computer that you don’t recognise.
  • Your web browser has acquired a new tool bar you did not remember installing.
  • You may find your internet connection keeps changing the phone number it dials (modem users) to a premium rate one. (Broadband users may find the computer trying to go back to using dial-up)

How do I protect my computer?

This really is a case of prevention being much better than cure. You can carry out a few simple tasks that will prevent most of these problems occurring in the first place.

Applications that will help prevent problems

As a very minimum level of protection you will need to be running:

  • A Firewall. (built into recent version of windows)
  • Anti-virus Software
  • An adware Scanner

Software that will prevent installation of unwanted programs in the first place can also be very handy!

Top tips to keep you safe

The best protection you can get is that of learning how to modify your behaviour with the computer so as to reduce the risks in the first place. Making sure that you are current with all the security fixes provided by the maker of your operating system is fundamental. Many items of malware survive in spite of fixes that prevent their spread having been widely available for a year or more. This is simply a result of people not keeping their computers up to date.

In particular:

Don't forget to do your research. If you want to download a useful sounding program, research it first. You can often do this by typing the name of the software into Google. Look at the results. Better still use Google's ability to search Usenet discussion groups here, you can bet that if a program is known to be malware then there will be plenty of discussion on the subject here!.

Be vary wary of any Toolbars, Search assistants, or anything else that promises to otherwise help you.

Never allow your web browser to install something, or run something that you did not explicitly ask for. The safest answer is "no". Get out of the habit of blindly clicking "yes" or "ok" to every question you are asked.

Avoid snake oil! You may see lots of adverts for "internet optimisers" - programs that will at a stroke make your internet connection work better, safer, faster etc. Again do the research first. If there were a quick fix way of improving performance, then you need to ask yourself why it is not already included as a standard part of the computer or its internet software.

Beware of anti spyware products! This may sound like an odd warning to read on a page all about these things, but note that many many products are not what they seem. There are some organisations out there that will gladly infect your computer with adware, that will in turn keep directing you to web sites they own, that will in turn sell you software to remove adware! (Needless to say this software does not actually work anyway).

Do:

Make regular backups. Make sure that you also keep several old backups and do not overwrite your only current working backup when you make a new one! DVD writers ans USB memory drives are cheap and will store loads of information. Make sure also your backup strategy works. Finding out it does not when you really need it is not fun!

 

How do I fix my computer once it is compromised?

This is a task that will vary in complexity from something that is simple enough to be accomplished by a non technical user with no difficulty, to something that will defeat even a specialist technician armed with a multitude of software tools and years of experience. You have been warned!

Rather like when fixing a car, it is handy to have a working one in order to go and get bits etc. So it is with fixing a compromised computer. Having access to another working one is almost essential so that you can get access to the tools you will need, and also research what you need to do with them.

To clear minor problems, a sweep with an anti-virus and anti adware product will usually do it. More seriously compromised computer may prevent you from running these tools however. Some malware will attempt to block removal of itself and even attempt to shutdown the tools you will need to use. Starting the computer in safe mode can help stop some of these tasks getting started at boot time which may make you job easier.

You may need to turn off the windows "System Restore" capability to clear away infected files from the restore folder. This will also prevent it reloading the infected files back onto your computer the next time you use the system restore capability!.

You may need a process killer like Task Manager to stop malicious applications running before you can remove them. If the malware recognises and defeats the built in task manager then you may need to find an alternative program (see the security software section for more advice). Sometimes simply making a copy of the taskmgr.exe file in your windows directory and renaming it to something else will fool many monitoring processes that would otherwise stop it. It is often worth the effort to expand a new copy of any utility files like this from your windows install disk. That way you can be sure that you are not using a version that may have been deliberately altered by the malware.

You may need to get well acquainted with windows regedit (note that indiscriminate use of this program can cause as much or more damage than the malware itself!).

The most sophisticated infections are almost impossible to remove manually, and you will need a specially written program designed to remove these types of infections.

Finally you may find that in some cases it is either not possible to remove the problem or it is at least not viable in terms of time or cost. In which case consider backing up all of your files and data, then reformatting the PCs hard drive before reinstalling all your operating system followed by all your applications using your original install disks. You will then need to add security software as described above before reconnecting to the internet to access all the outstanding security patches that will need to be re-applied. Finally you can restore your data from your backup.

 

  Home | Contact | Services | Info | Shop