Viruses have won, antivirus is no longer much protection

When look at customers’ computers and find malware, I am constantly asked “Why is there malware when I have antivirus on the computer?”

It is used to be because the user’s antivirus had expired or wasn’t updated. In the last couple of years, however, I have found dozens of infected machines with up to date antivirus.

The truth is, the nature of malware has changed. They used to be in the form of executable files, which had signatures that antivirus could pick up. Now, in the typical mode of infection, malware usually runs scripts on websites that find vulnerabilities in legitimate programmes, causing those programmes to be weakened or malfunction. Java is one of those programmes, and is a legitimate programme, so antivirus is happy with it. However, Java is a programme that has full system access on a pc, although in theory this is restricted. The exploits remove this restriction. This allows network connections to be opened internally to contact malicious sites, which bypasses most firewalls, because “outbound” connections are allowed. The exploits can also modify Windows (and Macs) settings, further weakening, just like the wooden horse of Troy, when the soldiers smuggled inside opened the gates of the city. This can also disable antivirus or prevent antivirus from loading on start up. Because this is done via a legitimate programme, the antivirus is none the wiser. Opening network connections to malicious sites also allows the malware to update itself, similar to Windows Update.

By turning off antivirus and auto-updating, less subtle malware can be downloaded which can have free reign. All that is needed is a single vulnerability. Many of these vulnerabilities are discovered long before patches are released to fix them.

My conclusion is that antivirus is not an effective protection against malware. The most effective protection is users being educated in safe behaviour. The status quo is like a flock of lambs wandering into a wilderness occupied by starving wolves.

How to avoid viruses !

Sorry, there is no guaranteed protection, but one thing you can do is remove Java. Most people don’t need it, and if you do, you can always download it again. Windows itself has been updated so much, that virus writers are finding fewer weaknesses. Now, their attentions are focussed on Java, Adobe Flash and Adobe Acrobat. The average Joe is likely to need the Adobe products (Acrobat Reader for downloaded documents and forms) and Flash for many websites, including YouTube. However, you will protect yourself better if you keep those products up to date. You should be on Adobe Reader X (or 10) and Flash Player 11 – to check which version of Flash you are on, go to http://kb2.adobe.com/cps/155/tn_15507.html

The figures in a study in September put malware infections via Adobe products at 48%, and via Java at 37% with Internet Explorer trailing at a relatively safe 10%.

 

 

Its good to remove programmes you no longer need…except when they are Windows Updates!

uninstall-windows-updatesI recently reformatted a badly infected PC for a customer. It had a number of nasty trojans, plus some files with broken digital signatures. After reinstalling Windows Vista plus the 100 or so updates, and restoring her documents, I returned the PC.

I always try to advise customers on how to protect themselves online, as so much malware is now a “wolf in sheep’s clothing” masquerading as some useful piece of software. “Honest guv, I will speed up your pc, plus give you virus protection, make you lots of money and even bring you regular cups of tea” (well ok, not that.)

As part of this advice, I advise customers to remove software they no longer need, such as RealPlayer, Java, Shockwave, a gazillion toolbars etc.
Startlingly, during the course of my conversation with my customer, she starting telling me how she had removed all those surplus Microsoft Updates, as they were years old, and she doesn’t use them! I had to explain how they are vital for her protection, but it never occurred to me that this could make sense and there is a certain logic to it. The average user just installs the updates automatically without ever needing to understand these updates fix security holes in Windows.

What is the solution to this? Microsoft can’t prevent users from uninstalling updates, as updates can cause  other programmes or entire systems to crash or cease working. As much as I dislike the “are you sure?” and “are you really, really sure” type of dialogues, perhaps a sterner warning before uninstalling critical updates is needed.

Ransomware /Hijackware/ Extortion-ware – totally dominant type of malware

Nearly every customer who comes to me with a malware problem has installed a “fake anti-virus” programme on their pc that is often described as ransomware because in order to get control back of your pc, you have to “upgrade to the full version” – until then, it flashes a window up in front of anything else you try to use and its impossible to close it. Generally, they disable access to task manager, so you can’t kill it by “ending its process”. It plays a video claiming to have found lots of different pieces of malware but says it’s not safe to continue until you get your credit card out and pay for the full version. Make no mistake, this IS malware, all the warnings are just bogus information that is part of the video that is played to everyone who has installed this bogus anti-virus.
Another recent case of ransonware conned users into sending an SMS to premium rate numbers at a cost of 360 Russian Roubles (approx £7.50)

Sadly this approach works. I have heard conversion rates from 2%-10% for ransomware attacks.

So, how do you protect yourself? Firstly you should use all the basic protection for your computer but perhaps the most important thing..

Know what your antivirus is?

I am quite shocked how easily people are tricked by going to a webpage and believing some random page that runs a video saying “they are infected, so click here!” The web is a dangerous place, guys! The antivirus on your machine is there to protect you, and if you are familar with it, and trust only it’s warnings, you can and should disregard ANY other warning about malware or viruses that doesn’t originate from your own antivirus.

I would guess the majority of users couldn’t name the antivirus programme they have on their machine. To me, that is a timebomb, as well as a great cash cow for the ransomware extortionists.