Tuesday, 27 July 2010

Rosti 878, Malware 1

So after over two years of having my laptop (since April 19th, 2008) without anything more troublesome than a tracking cookie, I got hit by a virus last night. I'll accept that I've probably had it coming. Given that I spend more time on the internet than can possibly be healthy, and that I go to my fair share of porn sites and the like, I reckon I've done pretty well to avoid them for so long. There's also the fact that I have pretty much all the anti-virus software that's installed on my laptop turned off, and I rely on the scanning function rather than the real-time protection against stuff, because I like my computer not to be slowed down by shit I don't need for approximately 355.5 days of the year.

What pissed me off more was that I wasn't watching porn. I wasn't on any dodgy sites. I was surfing through some stuff, clicked a link to a generic image hosting page filled with ads, and got hit by it. I know two people who have apparently got the same virus from ThePirateBay as well this week, which would imply it's not a virus that's that hard to pick it up.

It also meant I knew what was coming. The splash screen for Java randomly started up, which is what had been described, so I killed Java as fast as I could. If I'd really been smart I would have just flicked the switch on the side of my laptop that turns the wifi off and that would probably have been it. But I didn't, and I didn't close Java in time, so a minute or so later I got all these fake notifications about my computer being infected (which it was, but it wasn't my standard AV software notifications) and this bullshit AntiVir crap started up and supposedly ran a scan of my computer.

I could do fuck all. I couldn't even get into the task manager because it would instantly bring up a notification about it being an infected program and kill the window. So I held down the power button until my laptop turned off, and then booted into safe mode. A quick snoop around msconfig and the stuff in Spybot S&D told me where the virus was, I deleted the files, came back into regular Windows.

Everything seemed OK, no more bullshit notifications. I open Firefox, and notice that my iGoogle homepage isn't working properly, and all the applet boxes have "Could not connect to proxy server" on them. I don't use a proxy. I go into the Firefox settings, and it's configured to use one. Same for IE. Fuck.

I then get mildly paranoid, because I didn't really know what to do. I'm perfectly fine for hunting down and destroying viruses, but not so much for removing obscure traces of it when I'm not sure what it's done. If it hadn't been for the proxy not working, I wouldn't have noticed it was set up in the first place.

Missing the most obvious option for the second time in the evening, I ran various virus scans and fretted a lot about shit that it might have done. If I'd actually done the sensible thing and gone looking for info on it, I would have found this page and seen that I'd managed to pick up on all the crap that the virus had done. Also that the virus is more of a scan than something more subtly malicious, and that it hadn't stolen all my passwords or hidden a keylogger or anything like that. So my mind now somewhat at ease, though I've currently not got Java installed on my computer as I uninstalled it last night.

One thing that I did discover while crapping myself over passwords and such was that Firefox doesn't actually encrypt any of the passwords it saves. I was actually slightly startled at how easy it is to uncover them. Options->Security->Saved Passwords->Show Passwords->OK is all you need to see all the saved passwords in the browser, unless they've set a master password (which isn't required by default, but I've sure as hell got one set now). Heck, there are even crappy plugins and programs that can extract them, it's hardly much thought to think that a virus could do it and send the information on. Not that I've got anything massively dangerous for someone to gain the password to, but there's plenty of things I wouldn't want passwords to be leaked for (Facebook, site ACPs, FTP passwords, Amazon, etc).

And as a final point, something from my Spybot Search & Destroy logs:

26/07/2010 22:03:07 Allowed (based on user decision) value "fqofxfkb" (new data: "C:\Documents and Settings\Christopher\Local Settings\Application Data\cdwblhbay\lodmjbbtssd.exe") added in System Startup user entry!
26/07/2010 22:03:13 Allowed (based on user decision) value "fqofxfkb" (new data: "C:\Documents and Settings\Christopher\Local Settings\Application Data\cdwblhbay\lodmjbbtssd.exe") added in System Startup global entry!

Spybot S&D is a fucking fantastic program, but not so great when I've somehow turned off allow/deny alerts when something screws with the registry, and not turned it back on, and as a result it just stands and takes note when a virus embeds itself into my startup and registry, and does fucking diddly-squat about it.

No comments:

Post a Comment