Thursday last week saw the fourth emergency security update to Adobe Flash in as many months. All updates combined are responsible for plugging what is now a total of 107 holes with last week’s update responsible for 36 of those all on it’s own and one of which it is known can be used to crash or even take complete control of an infected computer.
This is nothing new and having frequently been exploited by online criminals for the purpose of infecting the innocent users of the internet (including infection by the Locky Ransomware virus) it’s already tarnished reputation is showing no signs of improving any time soon. Therefore, it’s no surprise that this has lead to many doubting whether or not they really need Adobe Flash at all. So there in lies the question. Should we update flash now or uninstall it altogether?
Should I uninstall Flash altogether?
Ideally yes. However, as I suspect the case is with most, you’re probably using it more than you realise. For example, certain videos published to both Facebook and YouTube still utilise Flash not to mention those online flash games popular with kids and even those looking for a little mind-numbing fun during their lunch break.
If you think you can do without then there are no two ways about it, get rid now. After all having Flash installed will be doing nothing more than to increase the risk of you getting infected. Instructions on how to uninstall Flash altogether can be found here for PC and here for Mac.
If as is most likely, you do still need it or if you’re unsure then read on.
OK. So how do I update Flash?
So as I thought you do still have a need for Flash and while that’s OK it is absolutely imperative that you update it now and continue to do so on a regular basis.
If you’re fortunate enough to have your computer covered by either our ByteSafe Silver, Gold or Platinum packages then the good news is you needn’t do anything as we’ve got it covered. As of approximately one month ago we added functionality to ensure that any commonly used 3rd party application (Flash, Java, Chrome etc) suffering a zero-day vulnerability would be updated ASAP.
A zero day vulnerability is a security hole in an application that is unknown to it’s vendor. This security hole is then exploited by hackers before the vendor is even aware. Once made aware the vendor then hurries to fix it.
With our ears always firmly to the ground the moment we catch wind of a zero-day and an update has been released all systems covered by ByteSafe Silver, Gold or Platinum are patched at best the same day if not the following morning (or the next time the system is switched on).
If you’re not covered (feel free to get in touch to discuss our packages in more detail) then you’re going to need to apply these updates yourself. It’s worth noting that Google Chrome includes it’s own version of Flash player and so you’ll need to update Chrome itself to ensure your patched. Alternatively if you use a browser other than chrome click here for instructions on updating.
What does the future hold for Flash?
The writing is already on the wall and with Google having already started the ball rolling I suspect to see others do the same within the coming months. To a hacker Flash has proven to be the gift that just keeps on giving and so as we already have viable alternatives to Flash there is little excuse that we continue using it for much longer.
Do you use online services such as LinkedIn, Twitter, Myspace or Tumblr? Are you re-using passwords with more than one online account? If so, the time has come for a re-think. The password you’re re-using may be suitably complex (this is still important – a post for some other time). However, the fact that you’re using it more than once puts you at risk. Here’s why;
So why is re-using passwords a bad idea?
You have a password for each online account, whether that be Facebook, Amazon or LinkedIn in the same way that you have a key to your home, the office and even your car. So while I’m sure you’d agree that it would be completely stupid to have a single key for all three (home, work and your car) why is it OK that you re-use the same password for your Facebook account, Amazon account and LinkedIn account?
Let’s just say for example you go out for a meal in town and decide to drive there. You enjoy a lovely evening with your partner but little did you know when the waiter took your jacket he took your key and got a copy cut. Now he has easy access to not just your car but also your home and even the office. Obviously in real life this is so unlikely but imagine for a moment it could happen. A pretty frightening thought right?
But my password hasn’t been stolen. Has it?
The answer is I don’t know for sure but it’s certainly possible. Reports surfaced last month that the login names and passwords of more than 100 million LinkedIn users were being sold online. While the data being sold is thought to have originated from a breach occurring around 4 years prior it’s probable that a large proportion of those users haven’t changed their password in this time. I personally use LinkedIn and did so back in 2012. Were you too?
That’s not all though as only a week or so later details began to emerge that a similar number of user’s credentials were also being sold online but this time in relation to separate breaches of both Myspace and Tumblr. It didn’t stop there though and in fact as I sat down Friday evening to begin writing this very article I got news of Twitter this time also having suffered at the hands of hackers. While we’re still waiting for further details to surface it certainly illustrates just how much of an issue this really is right now.
Why is this happening?
It was never much of surprise that as time went on we were going to see a steady increase in the amount of internet related data breaches. After all, the more we rely on computers and the internet, the more data there is online. The more data there is online the more data there is to be stolen. The more data there is to be stolen, the more data that will be stolen and so on and so forth. What’s more there is also significantly more of a financial motive for a hacker than there ever used to be with data collected from such breaches being sold online for thousands of pounds.
Last year such breaches got a fair bit of media coverage (most notably in the case of TalkTalk back in October) and 2016 hasn’t shown any sign of this letting up. And, if you take into consideration the little the authorities are doing or able to do (lack of funding and expertise arguable excuses) then it’s up to ourselves to ensure we do all we can to keep our own information safe.
What can I do?
Well it goes without saying that the really obvious solution is to simply stop using re-using passwords for multiple accounts. I know, I know but having so many passwords is difficult to manage. I completely understand this and if we’re going to be realistic the chances are you have dozens of online accounts and remembering a different password for each is no easy task for anyone. But wait, all is not lost and you do have some options here.
Have you ever heard of two-factor authentication? Two-factor authentication put simply, is a two-step process requiring the user to provide something they know (i.e. a password) along with something they have (i.e. a unique code sent to their mobile phone) before they’re granted the access being requested. As a result, this method will almost certainly mitigate against anyone attempting to login to an account using stolen credentials because they’ll only have one piece to what is now a two-part puzzle.
Currently a large number of online services provide this facility as I type and do so free of charge. The list of those offering it includes but is not limited to Apple, Google, Dropbox, Twitter, Facebook and Tumblr and with all providing instruction on how to get started there really isn’t any excuse not to enable this where possible.
Password Management Apps
When it comes to keeping ourselves safe online there is often a trade of between and security and convenience. But what if you could have the best of both worlds? Interested? If you want to go that one step further, then my advice would be to look into a password manager. While not affiliated with them in any way I am personally currently using Lastpass but have also used Keeper as well in the past. Both offer almost identical services with the former providing a free option for individual use and both offering paid solutions for teams or entire companies.
Password managers are great in that they keep a record of all your passwords, ensuring each one is strong and never re-used. This means that generally speaking the only password you need to remember is the one to the password manager itself. What’s more they also support two-factor authentication so access to the manager platform is pretty damn secure.
At the end of the day I’m realistic enough to know that most users probably won’t heed such advice and because of this I strongly expect and hope that the security guys behind such online services put in place systems to help protect users from themselves. This is all very well and good and until the time at which this becomes general practice we need to do more to look after ourselves because this problem isn’t going to go away any time soon. Cyber security is very much a moving target and so the defenses that keep us safe today won’t necessarily be half as effective come tomorrow.
It is like a “ring of steel” stopping nasties from getting to your network.
Bytedefender uses a different strategy to keep your systems safe.
It does this by proving an extra layer of security (nothing is infallible) by stopping the nasties from reaching your systems rather than dealing with them when they arrive. That makes sense to me and hopefully you as well.
Our 7 day FREE trials of our Bytedefender and Intrusion Detection System are starting in June 2016, we will install the Bytedefender box so that it will block viruses and spam. In fact it does a whole lot more than that and I have detailed it later on in this blog.
Each Bytedefender box will be installed on a Monday and pulled out on Friday afternoon. After each trial we will give you the reports on what it has caught and how much it is going to be of value to you.
The Bytedefender box has many characteristics of a normal computer but it concentrates all its power on scanning and analysing data and it is optimised for that. But it does so much more that detect viruses and spam, just take a look at the other benefits.
You can get back in control with you network by specifying the types of websites that your employees visit, whether by type of website or specific websites. You can make it so some of your people are not affected by this. Did you want to ban Facebook? No problem. Gambling sites? Easy. Our web filtering allows you to control the places on the internet where you do not want people to go.
Perimeter virus detection
Rather than each and every workstation having to scan and ban attachments for viruses our system stops them at the door. The infection is actually being detected by a Linux based system and the viruses are designed to attack Windows based systems so the viruses are pretty much powerless.
The same happens with spam and you can decide whether or not it is analysing the messages properly. The software has to make decisions on the sender, the subject line and the content of the email and there are key words that it looks out for. If you want to increase the detection rate you can.
It has a specific and separate phishing prevention which means that it looks out for email that are designed to get your details. Again this is stopping it all at source.
It has an advertising blocker. On the subject of advertising pop-ups, these pop-ups, this is just going to get worse. I see that a lot of my customers that will have this system just will not understand how bad it can get.
We can even speed up your browsing by turning on a web cache which remembers web pages and delivers them more quickly to your screen. What you see is the web just being about 5 times faster than it normally is.
For advanced configurations we can also get the system to inspect all the SSL traffic too. SSL is encrypted traffic so that means the all conversations can be analysed. Determined employees that wish to circumnavigate the Facebook ban will be caught here. It gives you the ability to check on visitors, visitor that get the wifi key have to monitored and restricted in where they are going.
The best until last the is the Intrusion Detection System which analyses connect attempts ad works out if they are hackers or not.
So it is first come first served 7 day trial. If a Firewall and IDS will work for you the reports will say so – it’s an evidence based trial.
Windows 10 upgrade ends in July 2016
The deadline is coming up pretty soon. For home users it was a very easy decision, you could decide whether you wanted to upgrade from Windows 10 if you thought it looked like and operating system that you could use. For business users it was very different.
Windows 10 for business has been adopted a lot more slowly for good reason. Businesses have a lot of “mission critical” applications which have to work with Windows 10 or it would be wise not to upgrade. More than that there are a lot of third party software Vendors that don’t support Windows 10 just yet. That could be a deal breaker for you. It isn’t that difficult, all you need to do is a software audit.
However, if you don’t upgrade now you will have to pay for the pleasure after July 2016. Worse than that, you will get nothing extra. Windows 7 will come to an end (just like Windows XP) and you then will have to upgrade to Windows 10. That is only 4 years away.
I’ve used Windows 10 ever since it came out, I have it on my laptop and I have it on my mobile phone – I think it is a great system and it works well.
Teslacrypt publishes encryption key
In the most peculiar announcement I have ever seen.
A person or persons that have released a deadly virus and then they say sorry and release the key!
The makers of Teslacrypt which inflicted misery to thousands of people all over the world by spreading viruses and then demanding a ransom payment have said “sorry” and handed over the encryption key.
That will be little comfort to the thousands of people that have lost their data and maybe even their businesses. It is likely that the people that have lost their data have already deleted their encrypted files also.
That does not mean that encryption viruses have had their day, far from it. The latest virus called Locky id the most devastating virus that we have come across and there is no way back. I wouldn’t expect that an encryption key for that will be released.
Pwned? Have your personal details been stolen?
How would you even know if you have been pwned?
There is a lot of scary computer stories going on at the moment. In fact there are so many stories that the tendency is to ignore them.
Now you might be able to find out for sure.
Adobe got hacked and some 152 million accounts got into the hands of criminals.
Ashley Maddison were compromised. That was the website that was in the news because it listed married men and women that were on the site to have extra marital affairs. A total of 30 million people were on that list.
Mate1 was 27 million, 000webhosts 13 million, R2games 13 million, Gamigo 8 million, Lifeboat accounts 7 million and 4.8 million Vtech accounts.
The one that is very interesting because of the way that it was used was the TalkTalk security breach. Criminal gangs are sending out emails and to add a massive amount of credibility they also included your own home address in the email!
Imagine getting an email with your home address inside it. Maybe you are going to believe that one to be OK, after all how would they know your home address?
There are a few services that will tell you whether your security has been breached. I personally would look beyond the widely respected https://www.haveibeenpwned.com.
There is no charge to do this.
The site was started by Troy Hunt. Troy is a Microsoft Regional Director and MVP awardee (Most Valuable professional). He is also an international speaker and author of many security courses on Pluralsight.
Just enter your email address and it will be checked against a regularly updated database of known security breaches. The results are displayed within seconds. Details of any security breach along with the sites or services will be shown.
All the website needs is your email address it will not ask for any passwords.
I checked my email addresses and I am on at least one of these lists. (the adobe one).
So what should you do if you have been pwned?
Assuming you try this out for yourself and you’re unfortunate enough that a breach has been detected then it is as this point that you’ll probably quite quickly want to login to that site/service and change the password in question.
I’d also recommend doing the same for any other site/service where the same password has been used.
I would also look at check the domain part out. You can put the entire domain for your company to see if anyone has had a security breach.
In summary then.
Yes, there are some scare stories out there about computer security but here is one example of getting some facts for you personally. I hope you find it useful.
Quicktime for Windows end of life could cause you some real problems.
A lot has been said about QuickTime for Windows just recently (in the IT press). It is interesting it is an Apple program that is causing a security issue with Windows PC’s. If you haven’t heard, Apple decided to stop security updates for QuickTime for Windows,
Read about the trouble it has caused and how it affect you.
We have some advice for you.
We therefore advise that you remove QuickTime for Windows asap. Even if you have a need for the program we have a great workaround for you.
Sadly, Apple have decided to withdraw their support in February 2016 by abandoning security updates for the program but they didn’t tell anyone that they were planning to do this. The news was leaked through an Anti-virus software company. Worse than that Apple are still allowing the downloads of this program knowing that it is a security risk. The problems have just started with virus writers specifically targeting computers with QuickTime for Windows already installed.
It is as if Apple want Windows users to have virus problems.
Apple have previous for this and acted in a similar way when they decided to withdraw security updates for Safari for Windows their Internet browser.
Even the US government are advising everyone to un-install it. Whilst that seems a strange thing for a government to do, software with vulnerablilities in them are often a souce of infect and crime..
Users are vulnerable at the moment if they visited a website with some browser plug-ins with Internet Explorer or Mozilla Firefox. Those problem are set to get worse as the virus writers work out additional and more clever ways of infecting.
That is, advice for customers that DO NOT have our latest Bytesafe services because the advice is different for our Bytesafe customers.
Our Bytesafe customers will have Quicktime for Windows automatically uninstalled and a safe replacement installed. No other intervention is required, no discussion needs to take place.
The reason for this is that all of our Bytesafe products have a feature which scans your computer for programs that need updating. That’s not major programs like Photoshop but programs like Java and Adobe flash. These programs are updated to the latest version and then the latest security patches are applied.
It is this feature that we can ask to uninstall a program and to Install the K-lite codes system for you. We have tested this process and it works like a dream.
For everyone else in the world (Not Bytesafe users) you need to go to Programs in the control panel and select Quicktime for Windows and uninstall it.
If you had needed Quicktime to run any videos like mp4’s and there is no way around it then we suggest that you use K-lite codecs and we suggest that you installed it via the Ninite website just so you can guarantee that you get the right program.
We therefore advise that you remove Quicktime for Windows asap.
LOCKY Update (Main LOCKY article is after this update)
We said it could happen. (I’m presuming that you have read the main article )
We just didn’t think it would be so quick. You remember that we installed a script that would automatically shut down a servers ability to share files and therefore render them impossible to infect by the LOCKY virus.
Boy are we glad we did what we did.
You may remember it was just 2 weeks ago that I told you about a script that we had installed on your server.
I wonder if people think that we were going over the top? After all the whole blog was in excess of 2000 words, we had graphics, we had a list of instructions on how to combat it and even had a video on the subject. It took us an entire day to prepare the material.
Were we over the top?
Do you know what has happened since?
Having a dangerous virus is bad.
Having one that can infect with such ease is really bad.
This particular virus is a nightmare just waiting to happen and it kept us awake at night. In fact, I can confirm that we wrote the script based on the fact that we were so worried about our customer networks. It means we can sleep at night knowing that we have done all we can to prevent this virus from impacting on our customer’s networks.
So what happened for me to update this blog?
THIS IS WHAT HAPPENED
Our Bytesafe Sever Vault script caught a virus dead in it’s tracks.
Just exactly as we had outlined.
It happened to one of our customers and the person who’s “fault” it was tricked in opening an attachment.
I say “fault” because it is easy to get fooled, she was waiting for a document just like the one that was attached.
When she opened the attachment nothing seemed to happen and she thought it was nothing.
Meanwhile the virus wet about its business in a systematic way infecting and destroying data on the workstation. It later reached the server and was halted in its tracks.
But not before it destroyed 12 files.
After that the game was up.
Bytesafe Server Vault script stopped sharing the data and nothing more could be infected. We got the 12 files back from the backup.
We contacted the customer because the customer was unaware that anything had happened. We got notified from our system which monitors all the servers that we look after.
I am not surprised that the lady in question opened the file. It was completely related to her job.
This part of the blog no way encourages the paying of the ransom for the encryption key. I do not even know if the key can be provided and whether it would even work. What I do know is that the people asking for the ransom were asking for Bitcoin.
Bitcoin is a currency that is not traceable in terms of transactions but for some reason the ransom demand has now turned to iTunes vouchers and Amazon vouchers. I would imagine that anyone wanting to spend a lot on Amazon with Bitcoins would be flagged up as a possible criminal.
The virus writers have changed tack and are now demanding to be paid with iTune or Amazon vouchers.
So, the script that we deployed took just 2 weeks to catch the virus and stop it dead in its tracks.
Now for the main article.
LOCKY ENCRYPTION VIRUS – from today your server is being protected from this deadly virus. (Bytesafe customers)
LOCKY is a powerful virus. We are pleased to announce an additional security measure that we’ve already rolled out to all Windows based servers covered by either a ByteSafe Silver, Gold or Platinum agreement and all at no additional cost.
Read on if you want to know how to troubleshoot the virus.
The script was gathered from the Internet community and hand coded into a Power Shell script and then tested and deployed by Systems & Solutions.
This Power Shell command protects servers from the Locky virus and others.
We will give this script to others, including IT support companies to use upon request.
This new system, which we’re dubbing the “Bytesafe Server Vault” actively monitors a server and all its shared folders for the presence of files or file types commonly associated with known strains of Ransomware (e.g CryptoLocker, CryptoWall etc). In the event that a known file or file type is detected all access to shared files and folders is removed before the virus has chance to do any real damage. Then, once the infected computer has been safely removed from the network, access to shared files and folders can then be restored again while said PC is carted off ready for disinfection or wiping/reloading.
Ransomware is software that demands payment to reverse the damage that it does and is very profitable fro the criminals that write the code.
Ransomware tends to be polymorphic by nature
This means that it creates copies of itself with slightly differing names. This means that it can succeed in avoiding detection by antivirus software. Once infection has been achieved the virus works its way in the background. It encrypts your important files (pictures, documents, spreadsheets etc.) until the point at which its finished when it then holds those files to ransom, demanding your hard earned cash in return for the decryption key which is required to unlock your files.
Locky will also work its way through all network files and folders
If the computer affected is connected to a network, it will work its way through all network files and folders. It does this in seconds and the damage is devastating.
During March 2016 we got to learn a lot about a new strain which goes by the name of “Locky” (yes, the same virus that hit the three hospitals in the States). We had two customers were hit and in both cases being able to restore all encrypted files from backups because we had an hourly backup regime. Things could have been a whole lot worse. While we were able to neutralize the threat and clear up the damage it had left behind it was nonetheless, disruptive and costly to the customer in terms of time.
We began looking into new ways in which we could prevent these types of attack from occurring in the first place. By the following week “Bytesafe Server Vault” was created from commands on the Internet put together into a Power Shell script.
Bytesafe Server Vault waits and checks for files created by the LOCKY virus and others. When it finds one, it shuts down the servers ability to share file. This means that the damage is minimal and the disruption to the business us negligible. We tested it on our systems before deploying it to all our customers servers. One problem we had was our monitoring system tries to automatically restart the service. We change the script to disable to the service which means that it survives even after a reboot.
It’s important to note that the best protection from viruses and other internet born threats is one consisting of a layered approach with Bytesafe Server Vault that final layer.
Head of Tech Support
We will share the Power Shell script with anyone that requests it. Here is our suggested approach on what to do should anyone detect the .LOCKY virus on your network server:
Solving the LOCY Virus on a large network.
- Find out that files are being called .LOCKY
- Get them to disconnect the network (hub)
- Get onsite and get onto the server
- Look at the properties of a .locky file, find out the user who changed the files and at what time were they changed
- Check over others if times are vastly different
- Identify that machine by the user
- Start that machine up disconnected from the network
- Identify the email that came in around that time
- Confirm the time that you need to working with
- Turn the network switch back on
- Restore files from backup. Select all files that have change or are new from the infected time
- Re-image the workstation, don’t bother to try an cleanse the virus
You are generally going to get a call from a customer says that they have discovered some strange files and their own files have disappeared.
You need to stop the infection spreading all over the network and I suggest that you do this by turning off the network switching hubs. They could be in the data cabinet – just power them down. That means that there is no communication between computers.
You can only do this by getting onsite. Remote access is no good now. Infection can be spread to any open shares on the network. If you tightly manage this than no real problems but be on the safe side and pull the plug on the network switch. This is an urgent issue and a “4 hour” response time will not be good enough in these circumstances.
Find the affected shares on the server and check over the properties of the infected files. The will have been modified by a particular user. Note the time they were modified. Check over more files just to see if there is more than one workstation infecting the files.
If the times are vastly different you could be looking for an additional machine or two that is also infecting but that would be unusual.
You should be able to identify which machine that user was using. I had a confusing situation when I found out that that same user was logged on to two different machines.
Point 7, 8 and Point 9
Check over the machine that is infecting all the files and go into Outlook and work out which email caused the damage and check that the times match. You can also run some anti-virus tools that will detect and destroy the process that locky is using.
It is safe to turn the network switch back on. The network will operate normally but you may have to reboot the workstations.
You have to restore the files from backup. The easiest way to do this is to find the most recent backup, mount it on the server and then Xcopy the files back by selecting missing files or newly created files. That means that you will only be restoring the corrupted files and not over writing files you don t need to. It will be quicker too.
Over time it maybe possible to cleanse this nasty virus from a workstation and for it to not come back. My advice would be to re-image it and start afresh. The virus writers are very clever and the virus changes on a regular basis, you do not need to take a risk when you can just re-image it.
Please watch the video on the subject:
There are 5 steps you should have in place already
- Mail filtering so you don’t emails containing the virus
- Up to date Office software so you don’t release the VBA code in the word attachment
- Free LOCKY protection available from Bitdefender.com
- Bytesafe Server Vault script
- Hourly local and then cloud backups
Mail filtering costs money every month and it is worth it. By not having the virus entering into your system in the first place means that your staff don’t have to be so on their guard. The social engineering that the virus writers use is proven to work so don’t take the risk.
Word 2010 had an in built function that you had to “enable editing” on attachments that came through the email system. The code cannot be released unless you enable editing. That was the reason why Microsoft put it in pace as an extra feature some time ago. I do however remember customers complaining about it!
This software is free to install on workstations. It is a good idea to deploy it. https://labs.bitdefender.com/2016/03/combination-crypto-ransomware-vaccine-released/
Run the Bytesafe Server Vault script on your server and then run the “updater” script.
Invest in hourly backups and have them synchronised to the cloud or off premises.
The virus writers are always going to be a threat and one day even hourly backup may not be enough. Data loss still may be possible even with all these approaches. It does give you maximum protection now.
Best Antivirus software
Back in June we took an in depth look at the cryptolocker virus. If you missed that then you can check it out by following this link. It is worth taking a look at as cryptolocker is one of the most serious viruses we’ve come across in a while.
This article is going to take a more broad view of the different types of virus going about. We’ve also come up with some specific examples of ones doing the rounds at the moment. Not only do you need the best antivirus software (such as Bytesafe Managed Antivirus software) but also the services that go with our Bytesafe Gold service contracts
Cryptolocker (ransom ware)
We have covered this one in depth and the full article can be found here. Here is a quick rundown on cryptlocker and the class of viruses called ransom ware:
- Ransom ware will lock you out of either your data or your computer – In the case of cryptolocker it will encrypt pretty much anything it can see and has access to (so network drives, external drive etc)
- In most cases ransom ware can be difficult to cleanse from a system as most do a good job of locking you out of the operating system- cryptolocker is easy to cleanse but the damage it does is permanent, to put it simply you will not be able to break the encryption
- They will ask for a fee to unlock your computer, upon paying many of them do not actually unlock your computer! It was widely reported that cryptolocker bucked that trend by actually decrypting files held to ransom, I still wouldn’t advise paying them
- Ransom ware undergoes constant development to thwart both detection and removal, it is a very lucrative market place – It is estimated that between September and October 2013 cryptolocker made $27 million!
There are methods in which we can stop the cryptolocker virus from actually delivering its payload which we put into place for our ByteSafe customers. This is probably the most dangerous virus we have dealt with in the last 5 years. It is certainly not a good idea to cross your fingers and hope that you are OK.
Flash Player Update (drive by download)
A drive by download is actually a method of attack as opposed to an actual virus. I’ve included this one as we’ve seen it in quite a few cases recently. We suspect it was responsible for a cryptolocker variant (cryptowall) being downloaded. Here are the things you need to know:
- You will get a pop up that tells you Adobe Flash Player needs to update
- If you confirm the message you will download a virus
- This message may come from a perfectly legitimate website that has been compromised
- If you do get this message pop up whilst browsing the Internet close the page down, this should avert any downloads, though you’d be well advised to contact us to take a look at your computer – just running a virus scan is not enough
Browser hijackers are designed to generate revenue by either directing traffic to certain websites. They do this by either changing your search results or actually redirecting your browser to a different website. There are plenty to choose from, and they appear innocuous enough which is why they work so well. If you have noticed one of these in place of your normal homepage or have the following installed as a toolbar: Inbox, Babylon tool bar, and search conduit (to name but a few), then you’ve been had and you need to get rid of it.
Technically they all fall into a category of programmes known as possibly unwanted programmes (or PUPs for short) they aren’t exactly viruses, but you don’t really want them installed on your computer. These types of programmes do the following:
- Change your default search engine to use their own custom one
- Change your search results to favour results they get paid for generating clicks for
- Cause pop-up windows to open up advertising stuff they get paid for
- They also have the potential to report on your browsing habits (e.g. what sites you’ve been on) and generally compromise your security and privacy
They commonly get installed along with free programmes, and maliciously enough games aimed at children. They are often how the developer of the programme gets paid. More than anything else they are a real privacy concern. These are one of the most common types of “virus” we see on domestic users machines.
The best antivirus software will also detect adware programmes which are very similar in their aims and methodology as browser hijackers. You will tend to get these bundled with free software. These tend to be programmes that you install on your computer rather than modify your search engine settings, though they can also do that. Examples of adware programmes are; OpenCandy, Babylon toolbar, Registry Reviver, iLivid, Facemoods toolbar (not an exclusive list). As with Browser Hijackers you can expect roughly the same sort of things to happen with adware:
- They will open up pop-ups whilst you are browsing
- They can spy on your browsing habits
- They will often come with free programmes – so be wary of what you are downloading
- Often they will be a programme installed on your computer rather than just a browser modification
As with Browser Hijackers you privacy is the main thing at threat here.
Even the best antivirus software needs to have help from your updates always being updated.
Windows Internet Guard and Variants (Rogue AV Software)
“Oh no! You’ve got lots of infected files, and viruses (1000’s in fact), fortunately for you Windows Internet Guard will get rid of them all, and all for the low price $99.90!” Unfortunately the only problem you have is Windows Internet Guard. Windows Internet Guard is a type of virus called a rogue anti-virus programme. It looks like the real deal, reporting lots of problems back to you, however it is the real infection, and paying won’t cure the problem (bet that comes as a surprise!). What you need to know about rogue antivirus software:
- They are all doom and gloom, you’ll normally have 1000’s of problems to sort out and very short space of time in which to do it
- They will always ask for a fee
- They often disable or damage your current anti-virus software and render it useless
- They can be a real swine to get rid of, and quite often lock you out of the computer as they keep popping up
ZeuS (Trojan horse)
Featured in the media recently was a report about the GameOver Zeus botnet. This botnet was based on a Trojan called the ZeuS Trojan. Trojans are a subcategory of computer virus that develop very rapidly, as a result of the rapid development detections are generally done a comparison basis e.g. it looks like such and such a Trojan. The best antivirus software detect trojans and they also tend to have very catchy names like TR/Patched.Ren.Gen and Win32/Pyrtomsop.A virus (bet you won’t forget those in a hurry). These types of virus are used to control your PC. They are very discreet and tend to be used to get further viruses on to your computer. These are the things you need to know about Trojans:
- They change very rapidly so it is hard for the best antivirus software to keep up with new strains, because of this they are often used as the first line of infection
- By themselves they are not destructive, however they are used to “call home” and download further viruses on to your computer
- They may be used to soften your systems security settings allowing more destructive viruses onto your system
- They can be used to mine personal data e.g. credit card and banking information
They tend to be the key component of what is called a botnet. We won’t go into too much detail in this article about botnets, but essentially a botnet is a network of computers that are infected. The attacker is able to control the network to carry out their bidding (e.g. spamming, attacking other networks, the list goes on), all without the infected parties knowledge.
This classification of virus is pretty serious. Rootkits are much like Trojans in the fact that they tend to be the first wave of an attack, they are often coupled together for maximum effect. A rootkit is designed to give an attacker administrative rights on a target device – thus giving the attacker full control over the machine that they have infected. They are also used to hide other viruses on your system. The thing to know about Rootkits:
- They are difficult to detect, routine virus scans are unlikely to detect rootkits – specialist software normally needs to be employed to detect them
- They are very difficult to remove, sometimes the best option is to reinstall the operating system – all things are removable but you have to question at what cost
- A subcategory of rootkits known as bootkits can be used to reinstall viruses after they have been removed and once the computer has either restarted or been turned off and back on again
- Finally some good news for you, rootkits account for a very low percentage of malware found on computers, phew!
Hopefully armed with this information you’ll be able to identify something that is either already on your system, or trying to get in. If you are concerned about any of the points we have raised please feel free to contact us. We live an age where computer viruses are potentially very destructive. Even with the best antivirus software you are still vulnerable. Even with the best antivirus software you could still lose data. Even with the best antivirus software some of our customers lost data!
“What’s All the Fuss About? – best antivirus”
There’s been a lot in the news recently about computer viruses and the best antivirus. As per usual it was served up with the suitable amount of media hyperbole, so you’d be forgiven for thinking that your computer was about to turn into a molten pool of metal and that we were about to descend into the dark ages!
One good thing that all this hype has done is to bring the whole subject of viruses / the best antivirus and cybercrime front and centre. Cybercrime and security are a massive issue these days, especially in the world of business. In a recent report by McAfee and the Centre for Strategic and International Studies it was estimated that cybercrime cost the global economy £265bn although we are not saying that McAfee is the best antivirus. More staggering are the number of businesses that are affected: In the UK 97% of large business and 87% of small businesses reported a breach in 2013. I work in IT and see it day in day out and find those numbers staggering. So it is plain to see that cybercrime is both big business and a big issue for businesses large and small.
“It’s OK We Use the Best Antivirus”
If you think you’re being protected by that “best free antivirus” software you found on Google then think again. Not even the best antivirus is up to the job. The simple fact is that antivirus software is no longer enough to handle the problems of today. Believing you’re safe because you are using the “best” antivirus software is akin to believing that because you lock your front door you won’t be burgled. That may well be true, but if you keep leaving your bedroom window open someone is going to get in through there eventually! That is what you are doing with your computer, you are leaving a metaphorical window open for someone to get through.
“Batten Down The Hatches!”
- Out of date software
- Drive By Browser Attacks
- E-mail attachments and links
Unless you sort those 3 areas out even the best antivirus won’t protect you from those with ill intent.
“Out of Date Software?!”
Each and every time you click “ignore this update” you are cuing yourself up for potential grief! The fact is that out of date software is probably the most heavily leveraged attack vector going, and is normally what the other 2 forms of attack rely upon to take hold of your system.
Out of date software allows viruses to execute themselves even with the best antivirus software installed on a system. People (hackers) pull programmes apart to look for various loop holes that they can use, these are known as vulnerabilities. These holes allow viruses to run without even the best antivirus being able to detect them. If your antivirus can’t detect the threat it can’t stop the threat – so out of date software is going to allow a virus to run on your computer regardless of just how good your antivirus is.
“Drive by What?”
Drive by browser attacks sound like something out of a US crime drama. The fact is they are becoming one of the most widely used forms of malware distribution, leveraging the out of date software on your computer to infect your computer. They render even the best antivirus software useless.
They work by the attacker gaining control of a website and then redirecting visitors to download a virus. The redirections are done quickly and at even the slower end of broadband speeds you probably won’t notice anything. There are a few reasons for this attack rising in popularity:
- Drive by browser attacks are less work. Pick a popular website, and watch your victims come to you! One of the top websites responsible for malware distribution was ranked as 18,204 in the world in terms of popularity – that equates to over 1 million visitors in the last 30 days!
- Drive by browser attacks are discreet, it is not at all obvious that a website has been infected, in fact it may continue to function as normal. As a user you don’t really know what danger you are heading into
- Drive by browser attacks only require that you visit a website. You don’t need to click on anything, or tell something to install simply browsing to the website is enough to infect your computer
“Don’t Click on that Link!”
E-mail is still a common method of infecting computers. Once again these attacks will utilise the out of date software on your computer (do you now see the error in your ways by clicking “later”?). Pulling some statistics off of our mail filtering service (nothing like some home grown statistics!) you can tell it is still a popular form of attack. For a frame of reference we filter 86 mailboxes
- Between 24/06 and 30/06 those mailboxes received 10,179 e-mails. Only 33.9% were legitimate, 3.3% were viruses
- Between 13/04 and 29/06 those mailboxes received 133,221 e-mails. Only 19.5% were legitimate! 5% were viruses
- Between July 2013 and June 2014 those mailboxes received 423,259 e-mails. Only 25.5% were legitimate. 4.1% were viruses
Those statistics are pretty interesting (honestly they are!). All in all it shows that people still use e-mail to send viruses, and that between 3% and 5% get passed the first level of filtering and would have ended up in a user’s mailbox. Based on the cryptolocker virus going about at the moment that is about 3-5% more than I’d like to chance! Some of the best antivirus software will then weed out e-mails, but don’t count on it, especially if the attack is through out of date software on your computer. It also tends to be one of the features missing from even the best free antivirus software, so make sure you double check to see if you’re protected. Just be aware that if you want the best level of protection then a proper mail filtering service is the way to go.
If you are just using antivirus (you know the best free antivirus you found from a Google search) software you need to rethink how to defend your computers and your network. The more computers and people you throw into the equation the more vulnerable you are to these types of threat.
We believe we have a solution to this problem. A solution that is designed around the types of threat present around the web today. Follow this link to see more about ByteSafe Gold and find out how its multi-layered approach is designed around providing the best defence against the modern threats of today.
Stay tuned for the next instalment on the types of virus doing the rounds at the moment.
Police Message virus
We first brought your attention to the Police Message virus back in October 2012 and since then it has come back time and time again on the computers that are brought into us to have a virus cleanse.
So you know what you are up against (and for those who are fortunate enough not to have come across it yet) the gist of the Police Message virus is that you get a warning (that locks your computer) from a particular police authority informing you that your computer has been found to have been used for a list of unsavoury tasks; though as it’s your first infringement they’ll let you off with a fine. Until you’ve paid the fine your computer will remain locked.
Well it seems to be back, and back with a vengeance. Last year it was a bit of a scare for people, but after that for those with any technical ability it was a pretty straight forward virus to get rid of. This time round it is a different beast altogether. Those that have the least to worry are those using Windows Vista, Windows 7, 8 and Windows 10 as the fix is (generally speaking) still quite straightforward. Those with XP would seem to have a real problem on their hands though, because if you get infected then the chances are the operating system will need to be reinstalled.
So to help you all to keep your guard up we have developed this guide on how best to defend yourself against this virus in our blog about the
We have known of people that have paid the money thinking it was genuine. This leads to further problems with the safety of the credit card that was used to pay the ransom. There are no circumstances when you should pay a ransom when you see a message like this.