DISCLAIMER
THIS IS NOT AN OFFICIAL DOCUMENT OF THE UNIVERSITY OF BIRMINGHAM
OR THE SCHOOL OF COMPUTER SCIENCE. NEITHER THE UNIVERSITY NOR THE
SCHOOL HAS ENDORSED THE OPINIONS EXPRESSED HERE.
After circulating a version of the notes below to colleagues I thought I would make them
more widely available, in case they are of use to others. Maybe the following will be of
use to poor sods who have to use MSWindows and
find their machines infected.
Ignore this if you never use Windows and never will.
Unless you are a Linux/Unix user and just want to gloat!
After writing this web page I noticed this news item on the BBC web
site, which is about the problems described here:
'Boom year' for hi-tech criminals
(BBC News Sunday, 28 December 2008)
The problem
My wife uses an excellent Orienteering map-making package, OCAD,
which runs only on Microsoft Windows, so she has to put up with
Windows (XP) instead of Linux, which would be very much easier for me
to look after, and along with Firefox, Thunderbird, and OpenOffice
would meet all her needs apart from OCAD.
But making orienteering maps, and using them for planning
orienteering courses, etc., is one of the main things she uses her
computer for, so she has to run Windows, alas.
Since she is not interested in computers except as useful tools and
does not wish to get into system administration I have to help her
with problems running XP, upgrading software, etc. The one-eyed
sometimes has to lead the blind. I am a windows novice (I dislike
its interface so much for reasons given here, that I use it as
little as possible).
Tim Kovacs pointed out to me that Ocad8 works with Wine on linux.
I may try that some day, though my wife is using Ocad9, and I am not
sure she would feel comfortable switching between virtual operating
systems.
Recently it became clear that her machine, although it is behind our
shared firewall, and has the highly recommended Kaspersky anti-virus
package installed, with regular updates and regular scans, had become
infected and was in the grip of some malware that popped up windows,
mostly full screen, perporting to be "Internet Explorer" windows
(although she never uses IE, only firefox, except for installing
microsoft updates).
The popup windows advertise various products, especially windows
maintenance and protection products. Some of the intrusions report
alleged system corruption that "urgently" needs to be fixed by
clicking on a link, and various other advertisements, often related
to what had been viewed recently on firefox. I assume that clicking
where indicated on the panel (even a 'Cancel' button) will send a
message somewhere, which may or may not do you harm. It may just get
somebody advertising revenue. In our case there was no evidence of
any harm done, apart from the nuisance value, which was very high.
Asking Kaspersky to run a complete scan of the system produced no
information, so I asked others for help.
Since people on the Birmingham Linux User Group email list are very
helpful and very knowledgable (many are professional software
developers or maintainers) I asked them for help, as well people on
our local department 'advice' email lsit.
I received quite a lot of advice and help, but it still took many
hours over about three days (including much late night work) to get
the problem squashed. I am posting this web page in the hope that
others can get help faster if they find it.
What I learnt
Very soon I learnt that there is a type of computer infection that
has various names "malware", "adware", "spyware", "keyloggers" using
"worms" and "trojans", distinguished from "viruses" because they do
not replicate and spread themselves.
For a useful introductory overview see this wikipedia article:
http://en.wikipedia.org/wiki/Spyware
Moreover, I also learnt that very large numbers of people have these
infections and there are many requests for help in many online
forums, often resulting in well-meant but inadequate advice being
handed out. The problem seems to be escalating fast. So very many
people need help, and of course, the suppliers of snake oil can make
money out of those infected.
One of the nasty things I discovered is that there are lots of web
sites purporting to give expert technical information about the
problem, or purporting to review removal software. The latter tend
to list a few packages, give them star ratings and provide links,
apparently on the basis of authoritative knowledge and 'extensive
testing'.
But details of the tests are not presented and many of the reviews
seem to be nothing more than advertising sites which presumably get
revenue every time a reader clicks on a link to one of the
recommended packages. I doubt that many of them have the resources
to do the extended comparisons required, including setting up
infected machines and testing the several patterns of infection with
different tools. I suspect all some of them do is read the
suppliers' lists of features and reword what other reviewers have
written.
Another nasty thing is that all of the packages I learnt about offer
free downloads and free scans, but nearly all of them fail to make
clear that after doing a scan they can present you with a list of
potentially serious infections and the option to neutralise them but
only if you purchase a licence for the product.
Even if the websites do mention that the free version merely does a
scan none of these review sites, nor the most of the supplier web
sites tell you how much it will cost you to use the product to deal
with infections detected. So the gullible user downloads a product,
invokes a scan and then is scared into buying a licence immediately,
discovering only then how much it will cost.
That happened to me with Pctools Spyware Doctor, which I had seen
advertised by users on an email list who had used an older free
version which provided both scans and removal (presumably to build
up a reputation). It was also highly recommended in an apparently
reputable publication. So after trying a free package (AVG Malware
tool), which did a scan and removed what it found, but had no
effect, since the annoying popups continued, I tried Spyware Doctor.
It claimed to find two trojans and a collection of related files
and offered to remove them provided that I purchased a licence. It
did not state in advance what the cost would be: I learnt that only
at a fairly late stage, and thought a cost of £29 for a one year
subscription would be good value, since the tool seemed to find more
than Kaspersky or AVG.
I clicked on the disinfect button, and was pleased to see that it
claimed success.
But the pop-ups continued: Spyware Doctor had failed.
Running the scan again, a few minutes later, showed that it reported
exactly the same infections as before. I.e. either the claim to have
removed them was fraudulent or, more likely, the package had found
only a symptom not the cause of the problem.
The cause was apparently somewhere else on the machine and quickly
replaced the removed files.
I also strongly dislike the subscription policy of PCtools: once you
have purchased their software, they retain your credit card details
and you will by default be charged for a renewal subscription after
12 months. Fortunately, an email complaint after purchase brought a
reassurance that they would not charge me again without first asking
me. But they did not assure me, as requested, that they would delete
my credit card details from all their files.
DO NOT BUY ANYTHING FROM THEM.
The pop-ups apparently run internet explorer, even though IE was not
being used on the machine -- only firefox and thunderbird, except
for MS updates, which require IE.
Towards the solution.
Solving the problem (I think)The problem has finally been conquered, I think, but it seems to have required several different tools each fixing part of the problem. Fortunately the best ones seem to be available free, including one from Microsoft. (Some that used to be free now only give a free scan.) One option proposed was running XP in 'safe mode'. A colleague recommended running Bart PE for this purpose. http://www.nu2.nu/pebuilder/ Kaspersky (who provide our virus checker) also recommend the PEbuilder and provide a script for using it to build a system restore tool that includes Kaspersky stuff. I built bootable CDs with and without the Kaspersky extras included, but it turned out that I did not need to use either (not that I would have known what to do once I had booted in safe mode. I am not a windows user -- and don't want to learn how to be one ....) After wasting money on Spy Doctor I did not wish to try any other of the plethora of 'highly recommended' packages that allow you a free download and free scan -- then require you to pay in order to fix what is found by the scan. The free AVG malware tool found one thing and removed it, but that made no difference to the adverts popping up (apparently launching internet explorer to do so). So as a first step I strengthened the protection level of our installed Kaspersky package by selecting more of the options beyond the recommended default settings that had previously been running. That had the effect of constantly producing Kaspersky popups saying one thing was trying to do something to another. Eventually I learnt that most of them were harmless and selected the option to add new 'exclusion rules' for those modules, though sometimes the program names or module names gave me no clue as to whether they were harmless or not. This may have helped fight the self-regeneration of the malware after some of their files had been removed: I really don't know. But they really should provide a popup that helps naive users (like me) take informed decisions. In fact they should give a recommended decision, e.g. if the software triggering the event is a known package, then add it to the 'allow' database.
Eventually, after a lot of searching, and a failed attempt to get
microsoft Defender to run (it claimed I did not have a genuine
version of XP, even though I bought XP with the machine), I
discovered a new free version of a microsoft package that could be
run from firefox, 'onecare live' (linked from a microsoft web site):
http://onecare.live.com/site/en-US/default.htm
[Apparently it used to be available only at a cost but was recently
made available free.]
That scanned the whole computer, took a long time, found a lot of
suspect items that Kaspersky AVG, and Spyware Doctor had failed to
find, and gave me the choice whether to fix each of them.
Since I did not understand most of the options I chose them all
anyway, and the popups seemed to become a lot less frequent after
that.
After that, I ran the free Microsoft Malicious Software Removal Tool
suggested by a colleage, available from Microsoft
windows-kb890830-v2.5.exe
It also took a long time, but found nothing new. Perhaps it uses the
same rules as the "Onecare live" package, which had already
removed what it had found?
But there still seemed to be problems. E.g. after rebooting I got
panels coming up complaining about not finding two of the .dll files
that had been removed, (harivisa.dll and jotejiho.dll).
I felt something was trying to restart malware.
After more googling I stumbled across this:
Malwarebytes' Anti-Malware (MBAM)
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
http://www.malwarebytes.org/mbam.php
Unlike most of the others, it tells you there's a free version (for
personal use only) that will find AND fix a class of problems. It
tells you the cost of the full licence in advance (only US$24 --
quite a lot less than the others I looked at). The full version of
mbam has a one time fee instead of an annual fee like the others.
On CNET there were lots of very favourable reviews of that package:
more than I had seen for any other malware tool. Most of the others
had only reviews that seemed to be disguised adverts for a group of
tools.
I let mbam do a full scan, and it found several more things to
remove, including suspicious browser cookies. (It divided them into
different classes, making it easy to select the ad-related ones to
remove.)
After that, rebooting no longer brought up the requests for missing .dll
files, and everything works as intended, and booting is faster.
So I assume that the problem was solved, and in our case required
only two totally free tools:
The "Onecare live" package
Malwarebytes' Anti-Malware (MBAM)
Of course, you may need something different! But I suggest you try
these before any others. However, I suspect that the solution may
have been partly a result of strengthening the level of proactive
defence by Kaspersky, which may have prevented some residual, still
undetected, piece of malware from doing its stuff.
Continuing defence -- and its annoyances
Why do Linux users suffer less than Windows users?I assume I shall have to run the above two scanners at regular intervals. I have left Kaspersky's proactive defence mechanism running, which includes a registry guard, suspicious activity detector and intrusion guard. The annoying thing about that is that it keeps detecting things and asking whether to allow them or not, and whether to change the rules to allow them permanently -- without giving enough information for a novice to decide what to allow. So I had to guess that most of them were safe and could be allowed permanently. So the Kaspersky popups are now very infrequent. I had to turn off Kaspersky's web traffic monitoring as it had a huge impact on speed of browsing, though it still scans incoming and outgoing mail. How was the machine originally infected I wonder? We have a communal firewall on our router, and I had hoped that plus the Kaspersky system would be enough. Apparently not. Perhaps I should have upgraded Firefox to version 3 earlier -- I waited till a few weeks ago as I wanted to make sure it was stable enough for my wife, a non-expert, who is annoyed by changes in the software she uses. The way Firefox handles suspect certificates is really unhelpful for a novice who needs to accept some things and reject others but doesn't know how to distinguish them. The popup should give more positive hints as to how to decide whether to accept or not, instead of recklessly terrifying everyone about everything. (No doubt the people who designed that piece of software felt they were contributing to improved security. They did not consider what would happen once people learnt the procedure to allow something they knew was safe and really wanted. Good software designers also need to be good psychologists, but programmers rarely are.) IE now seems to have copied that unfortunate behaviour. I hope this information is of use to someone.
It is often said that the main reason why linux does not have so many problems is that it is much less widely used, so that it's not worth while hackers attacking it. I suspect another reason is that from the very start unix was designed as a multi-user system (e.g. we had simultaneous users running on a DEC PDP11/40 with unix in 1976 at Sussex university) so that a privilege structure was there from the beginning, although it has never been as sophisticated as the one in VMS (which offers far more levels of privilege) and some earlier operating systems, e.g. ICL george 4, multics. Two crucial things on unix/linux are: an ordinary user cannot accidentally allow system files to be changed (e.g. without using sudo), and an ordinary user does not need to be superuser to install a runnable program -- which does not have full system privileges. So people can install minor goodies without requiring administrator privileges. It took Microsoft around two decades to understand that just because a PC allows one user at a time (unlike unix/linux machines that allow multiple logins) it does not follow that it is a single user machine. In schools, in businesses and in homes, each PC could be used by different people at different times, with different needs, and different levels and kinds of expertise. So from the start, or soon after, security should have been a major consideration in Windows. They should have learnt from unix and later linux. If they had not been associated with IBM in the early days, nobody would have taken their junk seriously. Of course, they did eventually learn, after disastrous results of connecting millions of poorly designed PCs to the internet which they failed to understand. Later they managed to employ some really intelligent people after they became really rich. But those people had to struggle to improve a really terrible system. It was a heroic struggle, with notable results, but I suspect millions of users still have to live with consequences of the poor initial design. Of course, MacOS is essentially unix/linux.
Maintained by
Aaron Sloman
School of Computer Science
The University of Birmingham
With thanks to Alison, for her forbearance and patience, and thanks to all who sent me suggestions.