Malware Prevention - Preventing Reinfection

Malware Prevention - Preventing Reinfection Apr 28, 2014 19:00:39 GMT -5

Post by Wingman on Apr 28, 2014 19:00:39 GMT -5

Malware Prevention - Preventing Re-Infection
Information provide by Security Expert Quietman7 - Microsoft MVP - Consumer Security 2007-2014

Attackers and malware writers have been around since computers were first introduced. The industry has become a thriving criminal enterprise as infection methods have evolved into sophisticated techniques which make it difficult to detect and remove - Malware Research and Response at Microsoft: Origin of Malware.

Malware and Spyware are general terms that refer to unsolicited commercial software which downloads itself onto your system and often performs certain behaviors and hidden activities such as advertising, collecting personal information, or changing the configuration of your computer without your knowledge of permission. Some will force pop-up adds, redirect your browser's home page or search page, or add additional components to your browser you don't need or want. Some will track your Web movements, collect demographic and usage information from your computer and report back to their creators with the data. Others will offer free enhancements to your operating system or browser such as extra toolbars, special buttons, enhanced search capabilities and make it very difficult to change your settings back to the way you originally had them.

While the most common culprits are freeware, adware and shareware applications, paid-for commercial software has been known to contain spyware as well. Malware applications are usually bundled as a hidden component in mislabeled freeware and shareware downloaded from the Internet. They are almost always installed on your system secretively to ensure its widespread use and to prevent the end-user from discovering it. Malware infection can also occur if your browser is exposed to malicious web scripts or you encounter Rogue security programs. For more specific information on how these types of rogue programs and infections install themselves, read:

Other types of infections spread by downloading malicious applets or by visiting legitimate web sites that have been compromised through various hacking techniques used to host and deliver malware via malicious code, automated SQL Injection and exploitation of the browser/operating system vulnerabilities. Adware, Spyware, Hijacker, RATS, Keyloggers, Dialers, Rootkits, Viruses, Trojans, IRCBots...can be destructive and can compromise your privacy, identity and computer security.

Think you're infected with malware? These are some common symptoms to be aware of.
You see pop-up advertisements even when you're not on the Web.
Your Web browser home page or browser search settings have changed without your knowledge.
You have difficulty connecting to the Internet or browsing to web sites.
You notice additional components or a new toolbar in your browser that you did not install or cannot remove.
Your computer is sluggish and takes longer than usual to complete certain tasks.
You experience a sudden increase in computer crashes.

--------------------------------------------------------------------------------------------------

To protect yourself against malware and reduce the potential for re-infection, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest security updates from Microsoft including all service packs. Whenever a security problem in its software is found, Microsoft will usually create a patch for it and release the fix as part of Microsoft Windows Update. Microsoft releases security updates on the second Tuesday of each month and publishes Security update bulletins to announce and describe the update. If you're not sure how to install updates, please refer to Updating your computer. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Doing this will fix security holes through which attackers can gain access to your computer. Unpatched and infected Windows systems on the Internet are a security risk to everyone. When there are infected computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, spammers have more platforms from which to send e-mail and more zombies are created to perpetuate the cycle.

Visit the Microsoft Security Bulletin Summaries TechNet page on a regular basis for information on Microsoft Advisories and other important security update notifications. Microsoft also recommends Internet 6 and 7 users to upgrade their browsers due to security vulnerabilities which can be exploited by hackers.

2. Prevent spyware, homepage hijacking and increase your browser security by using these free programs:

3. Run weekly scans with free spyware cleaning tools such as: (be sure to update the definitions before scanning):

4. Supplement your anti-virus by performing a free online Virus scan:

BitDefender Online Scanner
Trend Micro Housecall
Trend Micro Housecall Scan for Firefox <- Internet Explorer not required; does not use ActiveX
F-Secure Online Scanner
ESET Nod32 Online Scanner (Vista compatible but Internet Explorer must be Run as Administrator.)

5. Security Resources from Microsoft:

6. Be careful what you download: types of downloads that may contain malware:

Free games, animated characters, and screen savers.
Music, movies, and file-sharing programs.
Instant Messaging (IM) attachments.
Toolbars for your Internet browser.
Unknown email files and attachments.

7. Never ever click the links within the text of the e-mail. "Phishing" is an Internet scam used to gain personal information that uses spoofed e-mail addresses and fraudulent Web sites to masquerade as legitimate business sites. The fake sites are designed to fool respondents into entering personal financial data such as credit card numbers, account user names, and passwords, which can then be used for financial theft or identity theft. To learn more about protecting yourself, please read How to Avoid Phishing Scams and Recognize phishing scams and fraudulent e-mails.

8. Be wary of freeware products. Always read the EULA (End User License Agreement) carefully. Some "freeware" programs come bundled with malware. You can analyze license agreements for interesting words and phrases before installing software by using Javacool's EULAlyzer. Always scan the downloads with your anti-virus program because even trusted sites have being known to be compromised.

9. Use a Firewall to protect yourself. A hardware firewall can provide a strong degree of protection from most forms of attacks coming from the outside. A software firewall generally offers the best measure of protection against Trojans and worms but they are harder to configure and must share resources with other running processes which can decrease system performance.

10. Avoid gaming sites, porn sites, pirated software, warez, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

11. Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. One in every eight malware attacks occurs via a USB device. To learn more about this risk, please read:

Many security experts recommend you disable Autorun as a method of prevention and to Maximize the Protection of your Removable Drives. Microsoft recommends doing the same.

Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

12. Always update vulnerable software like Adobe Reader and Java Runtime Environment (JRE) with the latest security patches. Older versions of these programs have vulnerabilities that malicious sites can use to exploit and infect your system.

13. Use strong passwords and change them anytime you encounter a malware infection, especially if the computer was used for online banking, paying bills, has credit card information or other sensitive data on it. This would include any used for taxes, email, eBay, paypal and other online activities. You should consider them to be compromised and change all passwords immediately as a precaution in case an attacker was able to steal your information when the computer was infected. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

14. Do not disable UAC in Vista or Windows 7 and use Limited User Accounts.

15. Do not forget to Back up your important data and files on a regular basis. Some infections may render your computer unbootable during or before the disinfection process. Even if you're computer is not infected, backing up is part of best practices in the event of hardware or system failure related to other causes.

Finally, stay informed, use common sense, and always practice safe web surfing habits. "Knowledge and the ability to use it is the best defensive tool anyone could have. An uninformed user can be their own worst enemy when acting in ignorance."

It is a good practice to Create a New Restore Point to prevent possible reinfection from an old one AFTER cleaning your system. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point will help prevent this and enable your computer to "roll-back" to a clean working state. If you're not sure how to do this, read "How to Create a Restore Point" and "How to use Cleanmgr".

Vista, Windows 7 and Windows 8 users can refer to these links:

IMPORTANT NOTE: Backdoor Trojans, IRCBots, Botnets and Rootkits are very dangerous. Backdoor Trojans provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Keyloggers sit stealthy on your system and monitor all the keys you press including all your logins and passwords. Rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If you had any of these infections and your computer was compromised, banking and credit card institutions should be notified of the possible security breech.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
Internet Crime Complaint Center (IC3): Filing a Complaint
Guarding Against Computer Theft
Although the backdoor Trojan, botnet or rootkit can be identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that this type of malware has been removed the computer is now secure. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
When should I re-format? How should I reinstall?
Where to draw the line? When to recommend a format and reinstall?
This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

The only way to clean a compromised system is to flatten and rebuild. Thats right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Attempting to reinstall Windows (repair install) without first wiping the entire hard drive with a repartition/reformat will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system causing problems will still be there afterwards and a Repair will NOT help!.

Note: If you're using an IBM, Sony, HP, Compaq, Toshiba, Gateway or Dell machine, you may not have an original XP CD Disk. By policy Microsoft no longer allows OEM manufactures to include the original Windows XP CD-ROM on computers sold with Windows preinstalled. Instead, most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore" that will reformat your hard drive, remove all data and restore the computer to the state it was in when you first purchased it. Also be sure to read Technology Advisory Recovery Media. If the recovery partition has become infected, you will need to contact the manufacturer, explain what happened and ask them to send full recovery disks to use instead.