Ransomware

We’ve seen a recent rise in “ransomware” that infects and encrypts computers, then demands money for you to get your data back.

I reported back in March 2011 having seen ransomware demanding $200. Today, it is asking for $300 within 10 hours.

The name of the virus is CryptoLocker. The US Computer Emergency Readiness Team has a good write up on CryptoLocker.

To avoid this ransomware, we recommend using a Mac which can not be infected. Or just keep your PC antivirus up to date and avoid clicking on links on email or websites that you are unsure about.

Fake Websites

There are lots of fake websites out there designed to fool you into thinking they’re real. Sometimes they’re sites that you’re sent to because your system has been compromised, such as through DNS Malware. Other times they’re just mistyped URL’s. I recently typed “yourube” instead of “youtube” and got this:

First Real Malware for Mac

Flashback

Flashback is the first malware (malicious software or virus) for the Mac that people should worry about. It can infect computers through a vulnerability in Java. It’s estimated that 600,000 Macs have been infected, about 1% of Macs in use. Flashback collects personal information such as bank and login information. To see if your Mac is already infected, follow the instructions from Macworld.

Unlike with Windows PCs, this phenomena is new to Macs. The closest previous infection I remember was when a torrent version of Apple iWork ’09 contained a trojan. But that just impacted people who downloaded the pirated torrent. Flashback is far worse since someone can get it by just visiting a website.

Protection

It’s easy to protect yourself against malware and viruses on a Mac. There is no need to buy anti-virus software which doesn’t really help much on a Mac. Instead, take these steps that deal with the exploits of Java and Flash.

1. Perform Software Update

Apple’s updates automatically patch Java and remove Flashback. Open System Preferences and go to Software Update, Check Now.

2. Disable Java in any web browser you use

Safari
Go to the menu item:
Preferences -> Security -> Web Content
Uncheck Enable Java

Chrome
Go to the URL:
chrome://plugins/
Click Disable for Java

Firefox
Go to the menu item:
Tools -> Add-ons
Click on Plugins and click Disable for the Java Applet Plug-in

3. Install a Flash Blocker

My favorite is ClickToFlash, the Safari Extension which gives you access to Flash content if you click on the Flash window. This has the additional benefit of hiding annoying Flash ads.

Another tool I use is FlashFrozen, available for $0.99 through the Mac App Store. This handles all Flash running on your computer. It is especially useful for Mac laptops which can have their batteries quickly run down by errant Flash sites.

 

UPDATE: Oracle (the owners of Java) have released their own Java updates now. If you have Java installed on your system, you should get the latest Java SE Development Kit from here:
http://www.oracle.com/technetwork/java/javase/downloads/jdk-7u4-downloads-1591156.html
After installing, go to Utilities – Java Preference. From there, drag the latest Java to the top. As of this writing, that is Java SE 7. Uncheck the older Java versions. The next time you start a program that uses Java, it will now use the newer Oracle Java that has the latest security patches.

Removing a Virus

Viruses Abound

Every week I remove viruses from Windows computers. Here’s a common scenario:

Someone gets a fake alert like this and realizes that they have a virus.

When they call me, I tell them to turn off the computer. This is because a virus can continue to inflict more damage. It can install other viruses and even encrypt your hard drive to hold your data hostage to demand a $200 ransom. Turning off a computer stops whatever the virus is doing.

Use a Live Rescue CD

The first thing I do with the computer is boot into a Live CD to search for viruses. Typically the computer displays the key to press for boot options. It is usually one of these: F1, F2, , F10, F12 or Del. The computers may be set up to boot from the CD if one is available.

By booting into another operating system, you keep the virus from running, inflicting damage, and actively thwarting virus scans. The Live CDs I use include:

Lately, I have found Kaspersky Rescue Disk to be the most effective. This approach also works from a USB stick if the computer’s BIOS supports booting from USB.

Update Virus Definitions

Because new viruses are out all the time, it’s best to update the virus definitions. This is done by connecting the computer to the Internet by an ethernet cable if your Live CD supports it.

Scan for Viruses

Kaspersky typically finds viruses like this, a trojan named Packed.Win32.Katusha.o.

Boot Computer and Fix Internet Redirects

Boot the computer, then check for a Proxy setup in Internet Explorer’s Connection Settings. If there is one, disable it by changing to automatic settings. Similarly, check your network connection properties for IPv4 TCP/IP. Often you will see something like this, which should be changed to automatic settings.

Install Microsoft Security Essentials

There are a lot of decent Antivirus programs, but I like Microsoft Security Essentials because it finds viruses, is lightweight, and is free without nagware.

Other Things To Do

If there are still problems, other things that can be done:

  • Install Malwarebytes Antimalware or other antivirus software if you still suspect problems. You should not typically run multiple antivirus programs at once.
  • Boot into Safe Mode (F8 key at computer startup) to make system changes if you suspect that there is still an active virus. Or try another Live Rescue CD.
  • Uninstall unused or virus-installed programs, available in Control Panel – Uninstall a Program.
  • Remove startup items from Programs – Startup folder. You can also remove startup items by typing msconfig into the Start or Run box.
  • Give up on system. Wipe the hard drive and reinstall the operating systems and programs. Sometimes this is the only remaining option if the operating system has been severely compromised. By pulling the drive and connecting to another computer as a peripheral drive, you can backup the data.

Run Windows Update

By running Windows Update and installing all the service packs, you are applying security patches and reducing the likelihood of getting viruses in the future.

Conclusion

Viruses can be scary and destroy your data. These steps can help, but once you have a virus, there are no guarantees. An infected computer is owned by the virus folks.

Therefore, in addition to protecting your computer, you should have backups of your important files such as photos or financial documents. If you have sensitive data, it can be encrypted with TrueCrypt or other tools.

PC Malware Infections on the Rise

The Microsoft Security Intelligence Report (SIR) outlines PC security threats and is based on data captured by Microsoft. Here is a download to the latest volume, covering the first half of 2010.

Much of the report covers recent botnets. Botnets start when a virus infects a computer, either through spam or an infected web page. The virus puts the Windows machine under the control of the botnet, typically run by criminal syndicates. The report explains how criminals use and share your information.

Viruses are on the rise. In the three months between April and June 2010, Microsoft cleaned up more than 6.5 million infections, twice as much as the same period in 2009.

This chart shows the number of computers cleaned by Microsoft, listed by country.

This map illustrates the percentage of computers infected in particular regions. The infection rate was highest in South Korea where 14.6 out of every 1000 machines were found to be enrolled in botnets.

Stay Safe

As always, be sure to run Windows Updates and some form of Anti-virus. I prefer the free Microsoft Security Essentials, which I find to be just as effective but less of a memory hog than anti-virus by Symantec or McAfee.

Or you can just use a Mac which has had almost no threats. The only real-world attack that I know of for the Mac was a Trojan-infected version of Apple iWork that you would get from a pirated torrent download site. Besides that, the only Mac threats have been proof-of-concept attacks developed by researchers but never used.