Results 1 to 16 of 16
8Thanks
  • 6 Post By Corrine
  • 1 Post By Corrine
  • 1 Post By Corrine

Thread: "So How Did I Get Infected In the First Place?"

  1. #1
    Administrator
    Microsoft MVP
    Security Analyst
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    5,600

    "So How Did I Get Infected In the First Place?"

    "So How Did I Get Infected In the First Place?"


    (Updated from the original article by Tony Klein. See Note*)
    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    You usually get infected because your security settings are too low.

    Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

    Safe Computing Practices

    1. Keep your Windows updated!

    It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer. Either enable Automatic Updates or get into the habit of checking for Windows updates regularly.

    Operating Systems

    • Windows XP: Go to Start > Windows Update
    • Windows Vista: Go to Start > Control Panel > Security > Windows Update
    • Windows 7: Go to Start > All Control Panel Items > Security > Windows Update
    • Windows 8: Open the Search charm, enter "Turn automatic updating on or off", and tap or click Settings to find it.
    • Windows RT: Automatic updating is always on.


    Alternatively, navigate to http://windowsupdate.microsoft.com, and install ALL Critical security updates listed (you will need to use Internet Explorer to do this).

    Service Packs

    Service packs are the means by which product updates are distributed and may contain updates for system reliability, program compatibility, security, and more. Unless you suspect your computer is infected with malware, the latest service packs can be downloaded from Microsoft Support. Once you are sure you have a clean system, it is highly recommended to install the latest service pack to help prevent against future infections.

    2. Update 3rd Party Software Programs

    Third Party software programs have become targets for malware creators. To check if your system is missing security updates or has insecure applications installed, install the Secunia Personal Software Inspector (PSI) or visit the Secunia Online Software Inspector page (requires Oracle Java).

    3. Use a Standard/Limited User Account

    Although the Administrator account is needed when setting up the computer, day-to-day usage should be with a Standard User Account which has limited permissions. An Administrator account provides the highest level of access to your computer whereas using a Standard User Account makes it more difficult for the computer to be infected.

    Using a Standard User Account for every day activities applies even if you are the sole user of the computer. For additional information, see. Using a Standard/Limited User Account.


    4. Watch what you download!

    • Many "freeware" programs come with an enormous amount of bundled spyware that will slow down your system, spawn pop-up advertisements, or just plain crash your browser or even Windows itself. Watch for pre-checked options such as toolbars that are not essential to the operation of the installed software.
    • Peer-to-peer (P2P) programs like Kazaa, BearShare, Imesh, Warez P2P, and others are among the most notorious. P2P programs allow the creation of a network enabling people to connect with other users and upload or download material in a fast efficient manner.
    • Note also that even if the P2P software you are using is "clean", a large percentage of the files served on the P2P network are likely to be infected. Do not open any files without being certain of what they are!

      Pre-scan downloaded files for viruses and malware at one of these multi-engine single file scan sites. Both use a dozen or more well-known anti-malware scanners in a quick, easy scan with a report of results from all.

      -- Virus Total (10mb limit): https://www.virustotal.com/en/
      -- Jotti's Malware Scan (15mb limit): Jotti's malware scan


    5. Avoid questionable web sites!

    • Many disreputable sites will attempt to install malware on your system through "drive-by" exploits just by visiting the site in your browser. Lyrics sites, free software sites (especially ones that target young children), cracked software sites, and pornography sites are some of the worst offenders.
    • Most of these drive-by attempts will be thwarted if you keep your Windows updated and your internet browser secured (see below). Nevertheless, it is very important only to visit web sites that are trustworthy and reputable.
    • In addition, never give out personal information of any sort online or click "OK" to a pop-up unless it is signed by a reputable company and you know what it is!
    • For more general information see the first section, "Educate yourself and be smart about where you visit and what you click on", in this tutorial by Grinler of BleepingComputer.

    Must-Have Software

    *NOTE*: Please only run one anti-virus and one anti-spyware program (in resident mode) and one firewall on your system. Running more than one of these at a time can cause system crashes and/or conflicts with each other.

    6. Antivirus

    • An Anti-Virus product is a necessity. There are many excellent programs that you can purchase. However, we choose to advocate the use of free programs whenever possible.

      The following antivirus software programs are free for personal use.
      -- avast! 5 Home Edition
      -- Avira AntiVir PersonalEdition Classic
      -- Microsoft Security Essentials (Windows Defender on Windows 8)
    • Please run only one antivirus resident at a time!
    • It is recommended to set your antivirus to receive automatic updates so you are always as fully protected as possible from the newest threats.


    7. Internet Browser

    Many malware infections install themselves by exploiting security holes in the Internet browser that you use.

    Internet Explorer -- Windows 8.1 includes Internet Explorer 11. If your operating system is Windows 7, update to Internet Explorer 10. Windows Vista systems should be updated to Internet Explorer 9. For Windows XP, your system will be more secure if you update to Internet Explorer 8. (Note: If you do not want to change your search engine/start page, uncheck "I would also like Bing and MSN defaults".)

    Mozilla Firefox -- In addition to updating to the most recent version, install NoScript and only allow JavaScript, Java, Flash and other plugins to be executed only on trusted websites of your choice.

    8. Firewall

    • It is critical that you use a firewall to protect your computer from hackers. The built-in Windows Vista, Windows 7 and Windows 8 firewall blocks both incoming and outbound, but is still written to the registry.

      Since most malware accesses the registry and can disable the Windows firewall, you may prefer to install a third party firewall. Following are a couple of the available firewall programs that are free for personal use.
      -- Online Armor Free
      -- Privatefirewall
    • Please only use one firewall at a time!


    Other Cleaning / Protection Software

    Of the below-listed programs, passive protection like that provided by SpywareBlaster, WinPatrol and Hosts file programs, can be used with active resident protection programs effectively. For example, the free version of Malwarebytes' Anti-Malware is an on-demand scan and clean program that will also not conflict with resident protection, Spybot is also on-demand but has resident protection if the Teatimer function is used.

    Only scan with one program at a time should be run with a shutdown/restart between scans.

    9. Consider installing SpywareBlaster by Javacool

    • This excellent program blocks installation of many known malicious ActiveX objects. Run the program, download the latest updates, "Enable All Protection" and you're done. Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
    • Don't forget to check SpywareBlaster for updates every week or so.
    • See this helpful tutorial by Lawrence Abrams, Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware.


    10. HOSTS File Programs

    • MVPS HOSTS -- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial by WinHelp2002.
    • hpHosts -- hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites. The inclusion policy can be found at hpHosts Online - Simple, Searchable & FREE!
    • See special instructions for Windows 8 by WinHelp2002 in Updating the HOSTS file in Windows 8.


    11. Anti-Malware and Anti-Spyware Programs (Select one or two)



    12. WinPatrol

    • The Host-based Intrusion Prevention System(HIPS) of WinPatrol takes a snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
    • WinPatrol will allow you to lock your HOSTS file and will monitor changes.
    • Win Patrol is a powerful system monitor. Some of the features are described here (unofficial support site at WinPatrol Help & Information).


    Happy safe computing!!

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    *Note: The original version of this article was written in 2005 by Tony Klein and has been reproduced or linked to in thousands of locations. Tony is well known in the security community for his many contributions, including the CLSID List and A Collection of Autostart Locations.

    This document is an update of the original "So how did I get infected in the first place?" ©Tony Klein. With permission from Tony, I and others in the security community have continued updating this information to include current operating systems and software program information. It has come to my attention that updated copies of the article are no longer being maintained at many sites.

    Revised: TonyKlein,Oct 30 2005, 05:00 AM
    Reproduced and edited with permission of the author.

    (Updated 15JUL2013)
    (Updated 16JUL2013 to Add User Account Information)
    Last edited by Corrine; 07-17-2013 at 08:51 PM.
    Will Watts, satrow, Patrick and 3 others say thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  2. #2
    Moderator
    Microsoft MVP
    BSOD Kernel Dump Expert
    Contributor
    Patrick's Avatar
    Join Date
    Jun 2012
    Location
    Ring 0
    Posts
    3,195

    Re: "So How Did I Get Infected In the First Place?"

    Great writeup, Corrine.

    A fantastic addon I refuse to browse today's internet without is NoScript for Firefox (and to tell the truth is the only thing keeping me using Firefox as opposed to other browsers)

    Debugging/Reverse Engineering Blog

    “Be kind whenever possible. It is always possible.”

    - Dalai Lama


  3. #3
    Sysnative Staff
    BSOD Kernel Dump Analyst
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    470
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        Samsung 2x4GB 1600Mhz LoVo
      • Graphics:
        XFX R9 270
      • Sound Card:
        Onboard
      • Hard Drives:
        PX-256M5M, 840 250GB, Seagate 2.5" 1TB.
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x stock case fans
      • Display:
        Dell U2412M 1900x1200
      • Operating System:
        W7 x64 Home

    Re: "So How Did I Get Infected In the First Place?"

    I've used the above as the basis for my layer technique for a long time now, some of my modifications/additions below.

    I start outside the Windows box; wired connection from my firewalled modem/router set to OpenDNS. Link maintained to OpenDNS in Windows with Marc's Updater (I have a variable external IP address). No Windows sharing/SMB of any kind on the internal PC's - I sometimes work on infected machines, as my OpenDNS history would confirm - this hopefully minimises any worm-type risk.

    WiFiGuard updates me on any new connections to the WiFi network.

    I use an amalgam of MVPS HOSTS and hpHosts, maintained/updated by HostsMan

    I find NoScript too distracting and high maintenance; in my default browser, Pale Moon (normally the x64 version) I use DuckDuckGo as default search engine, DoNotTrackMe and, currently, BluHell Firewall.

  4. #4
    Moderator
    Microsoft MVP
    BSOD Kernel Dump Expert
    Contributor
    Patrick's Avatar
    Join Date
    Jun 2012
    Location
    Ring 0
    Posts
    3,195

    Re: "So How Did I Get Infected In the First Place?"

    I've yet to try PaleMoon, how do you like it compared to Firefox's official browser?

    Debugging/Reverse Engineering Blog

    “Be kind whenever possible. It is always possible.”

    - Dalai Lama


  5. #5
    Sysnative Staff
    BSOD Kernel Dump Analyst
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    470
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        Samsung 2x4GB 1600Mhz LoVo
      • Graphics:
        XFX R9 270
      • Sound Card:
        Onboard
      • Hard Drives:
        PX-256M5M, 840 250GB, Seagate 2.5" 1TB.
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x stock case fans
      • Display:
        Dell U2412M 1900x1200
      • Operating System:
        W7 x64 Home

    Re: "So How Did I Get Infected In the First Place?"

    I like it enough to have been a beta-tester since about 3-4 months into first using it (it may have been 15-16 months though, can't remember ).

  6. #6
    Administrator
    Security Analyst
    Will Watts's Avatar
    Join Date
    Mar 2012
    Location
    %tmp%
    Posts
    3,400
    • specs System Specs
      • Manufacturer:
        Alienware M15x
      • Model Number:
        M15x
      • CPU:
        i5 520 M @ 2.40GHz
      • Memory:
        8GB
      • Graphics:
        ATI Radeon HD 5800
      • Hard Drives:
        720GB 7200 rpm
      • Operating System:
        Windows 8 + Ubuntu

    Re: "So How Did I Get Infected In the First Place?"

    A concern I'd have about using PaleMoon is that as upstream software, how quickly do Firefox security patches get added?
    Has Sysnative Forums helped you? Please consider donating to help support the forum.


  7. #7
    Moderator
    Microsoft MVP
    BSOD Kernel Dump Expert
    Contributor
    Patrick's Avatar
    Join Date
    Jun 2012
    Location
    Ring 0
    Posts
    3,195

    Re: "So How Did I Get Infected In the First Place?"

    Quote Originally Posted by Will Watts View Post
    A concern I'd have about using PaleMoon is that as upstream software, how quickly do Firefox security patches get added?
    This was my concern as well.

    Debugging/Reverse Engineering Blog

    “Be kind whenever possible. It is always possible.”

    - Dalai Lama


  8. #8
    Sysnative Staff
    BSOD Kernel Dump Analyst
    satrow's Avatar
    Join Date
    Apr 2012
    Location
    Cymru
    Posts
    470
    • specs System Specs
      • Motherboard:
        ASRock Z77E-ITX
      • CPU:
        E3-1230 V2 3.3GHz
      • Memory:
        Samsung 2x4GB 1600Mhz LoVo
      • Graphics:
        XFX R9 270
      • Sound Card:
        Onboard
      • Hard Drives:
        PX-256M5M, 840 250GB, Seagate 2.5" 1TB.
      • Power Supply:
        XFX 450 Bronze
      • Case:
        BitFenix Prodigy
      • Cooling:
        Be Quiet Shadow Rock Topflow + 2x stock case fans
      • Display:
        Dell U2412M 1900x1200
      • Operating System:
        W7 x64 Home

    Re: "So How Did I Get Infected In the First Place?"

    Security patches, even from 'higher' Firefox versions are added to Pale Moon within a few days of the Firefox source code being released (time is needed to build/test first) - if it's applicable to Pale Moon - it doesn't blindly follow Mozilla in the addition of new 'features', so not all Firefox vulnerabilities will be in the Pale Moon code.

    EDIT: there's a host of details on the Pale Moon site and forum, the dev, MC, is quite happy to handle any queries you might have.

    Also, it's independent of Firefox's profile (unlike all? the other forks/builds that I'm aware of) so it's 'safe' to test alongside FX and can make a useful comparison/troubleshooting tool if you suspect a FX bug/problem.
    Last edited by satrow; 07-15-2013 at 07:44 PM.

  9. #9
    Administrator
    Microsoft MVP
    BSOD Kernel Dump Expert
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    10,561

    Re: "So How Did I Get Infected In the First Place?"

    Great write-up, Corrine.

  10. #10
    Senior Member
    Join Date
    Mar 2012
    Location
    Redmond
    Posts
    201

    Re: "So How Did I Get Infected In the First Place?"

    I'm a little concerned none of the mitigation steps recommend not logging in with an administrative account. There are knocks on the Windows Firewall because it can be overwritten in the registry, but.... only by admins! It's a good article, but it still reinforces a lot of the misconception that security is a product (or products) you can use, when it's really a methodology that uses products when necessary to increase the security posture of a system. #1 on any "how to be more secure" list should always be "don't log onto your machine and use it with an administrative account", or it has ultimately failed - an admin is an admin, and you can't stop something running with those privileges from screwing up the system if it's determined enough.
    Last edited by cluberti; 07-16-2013 at 11:16 AM.
    MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8

  11. #11
    Administrator
    Microsoft MVP
    Security Analyst
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    5,600

    Re: "So How Did I Get Infected In the First Place?"

    Good point. It is surprising that wasn't in the original, particularly since the advice to use a "Limited User Account" was strongly encouraged when the article was written. I'll add it to the Safe Computing Practices section.
    cluberti says thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.

  12. #12
    Administrator
    Microsoft MVP
    BSOD Kernel Dump Expert
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    10,561

    Re: "So How Did I Get Infected In the First Place?"

    What about those using UAC (like me)?

    Is limited user account still necessary?

  13. #13
    Senior Member
    Join Date
    Mar 2012
    Location
    Redmond
    Posts
    201

    Re: "So How Did I Get Infected In the First Place?"

    Yes - UAC is not a security boundary, it's a security measure. If you're logged in as an admin, there's a known (and impossible to plug) "drive-by" possibility by hacking/replacing a binary allowed to silently bypass UAC, like regedit. Since in most "UAC drive-by" hacks, a hacked binary can only elevate to the user's highest-privs available on a system, if you're an admin, that's... full admin. However, if you're just a user, that's then running as a regular user (great hack! /sarcasm) and no real harm done. UAC is a mechanism, but not a boundary, and not impossible to jump over or impersonate - difficult, yes, but not impossible. Even with UAC enabled, running as admin is foolhardy at best. UAC provides protection, but since it's not a boundary if there *is* any sort of foul play, your system will be wide open and vulnerabile. Also, UAC allows the ability to elevate processes to that admin account as necessary, making it possible (and fairly easy) to run without admin privs.
    MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8

  14. #14
    Administrator
    Microsoft MVP
    BSOD Kernel Dump Expert
    jcgriff2's Avatar
    Join Date
    Feb 2012
    Location
    New Jersey Shore
    Posts
    10,561

    Re: "So How Did I Get Infected In the First Place?"

    When you say "Admin" - are you referring to all user admin accounts (-10xx) or just hidden admin (-500)?

  15. #15
    Senior Member
    Join Date
    Mar 2012
    Location
    Redmond
    Posts
    201

    Re: "So How Did I Get Infected In the First Place?"

    All - an admin is an admin, the only difference between one created and the original is that UAC doesn't apply to the inbox admin. Otherwise, they're the same.
    MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8

  16. #16
    Administrator
    Microsoft MVP
    Security Analyst
    Corrine's Avatar
    Join Date
    Feb 2012
    Location
    Upstate, NY
    Posts
    5,600

    Re: "So How Did I Get Infected In the First Place?"

    Updated to add the section "Use a Standard/Limited User Account". Additionally created instructions for Using a Standard/Limited User Account.
    cluberti says thanks for this.


    Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

    Remember - A day without laughter is a day wasted.
    May the wind sing to you and the sun rise in your heart.


Similar Threads

  1. [SOLVED] bsod: "page fault in nonpaged area" and "driver IRQL not less or equal"
    By nlj223 in forum BSOD, Crashes, Kernel Debugging
    Replies: 10
    Last Post: 09-20-2012, 01:04 AM
  2. Germany turns "Googlemail" into "Gmail"
    By zigzag3143 in forum Social Media News
    Replies: 0
    Last Post: 06-20-2012, 03:52 PM
  3. Replies: 0
    Last Post: 04-24-2012, 05:25 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •