Increased Virus Activity?

Over the last two months I have experienced a massive surge in viruses attacking computer systems.  I can’t help but notice that this is about the time when several other hacks and exploit have been made public; I refer to the most obvious “Heartbleed” OpenSSL flaw.  I notice that Steam has had an issue too.  Is this mere coincidence?

From my experience, there have been three that have been quite prevalent; Cryptobit (a variant of Cryptolocker), which encrypted all useful/office files on the infected PC, then attacked a third of a server’s fileshare until I found and disconnected the culprit.  The second was Shylock, a virus that targets bank accounts within a victim’s web browser.  The third has been a bit of an unknown; the behaviour is to hide all the folders and files within a mapped drive and replace them with fairly-convincing substitutes but are in fact 128Kb executables that contain a copy of the virus.  The idea (and proven method unfortunately) is for other users to hammer these files like crazy when the expected files do not open, infecting themselves.  Madness.

The viruses I’ve encountered have been “zero day” versions, so none of the AV tools I use have picked them up.  This means that I’ve been submitting files to Kaspersky Labs and Microsoft to get antidotes created and released through the usual definition updates.  However, in a business environment, this means downtime and stress, especially on my part.  This last infection is forcing me to think differently about the setup of computer systems within a shared corporate environment.  Here’s my plan going forward:

  • Mapped drives are gone.  Cryptobit and this latest virus takes advantage of mapped drives to create destruction.  I’m going to change the share name on the server, change the login script in AD to just delete file shares, and make everyone use a shortcut on the desktop.
  • Fragment file permissions.  Like most companies, we chuck users into a group based on their team or department.  This is going to have to be split out based on actual “need to know” permissions.  Purchasers don’t need access to CAD files, so if one member of a team is infected, the majority of a server/share can be spared.  Again, more admin work for the IT department.
  • Education of the users.  One of the infections was compounded by a firewall rule that had been applied that gave the users unlimited Internet access.  When I found and sealed this hole up, users started complaining about not being able to get to their Facebook or Youtube accounts.  If someone would have said, the issue may not have been as serious as it was.  Also, seeing a file called “i love you” on a business server should result in a call to the Helpdesk, not a double-click to see what it is.
  • Patching.  Patching of the clients needs to happen as a priority now, including Java and Flash.  The Shylock virus takes advantage of a Java exploit so could have been prevented by patching to the latest update.

The biggest question that I have been asked is why the AV solution didn’t catch any of the above infections.  Well, no AV solution is perfect.  There are going to be newly-released nasties that don’t get detected, plus there may be client issues that prevent updates from being applied to the client.  Although I understand that AV suppliers are fighting a constant battle to stay up-to-date, I’m not sure whether we are moving into a completely different arena now.  Viruses are becoming semi-autonomous, mutating and changing their behaviour in response to environmental factors.  Shylock can even detect if it is in a VM (typical behaviour when analysing it for an antidote) and so will inhibit its behaviour.  Something about the last couple of months does not feel right.

Personally, I don’t get infected by viruses and I am a prolific Windows computer user, so why don’t I get infected but others do?  Put simply, I know what constitutes a risk and won’t fall for spam emails or dodgy downloads.  Users, however, will click on anything and everything if left to it, so a large part of anti-virus prevention is computer knowledge.  Still, I am not immune and can only go so far into preventing infection.  After the last two months, I have taken the final step in securing my home computing experience, and have moved over to Linux as my primary platform.  Windows presents too big-a risk for me at the moment, so I am keeping Windows away from me for the moment, until I get more confidence about its security.

If you are worried about viral infections, here is some guidance:

  • Backup your files.  Do NOT keep your backup device attached to your computer all the time though; some viruses attack external or network media, so if you are backing up to a USB drive, keep it in a drawer/safe when not backing up.  You might want to think about either investing in a fire and theft-proof safe, or keeping a copy of your files at a different location, or even online.  Dropbox, OneDrive, Drive can help you with this.
  • Get an antivirus product installed.  Typically only Windows is threatened by viruses, but we are starting to move into an era when other OS’ and devices can be infected.  OSX and Linux are still relatively hard against exploits, so if you are on Windows, get protected.  Microsoft Security Essentials (free), AVG (free and paid), Kaspersky Labs (paid) are good starters.
  • Encrypt your hard disk.  Security means logical and physical now.  Use Truecrypt to make encrypted containers to store on removable disks, and to encrypt your computer (Windows only).  Ubuntu and Debian offers encryption when installing these products, and I believe Red Hat’s encryption is FIPS 140-2 accredited.
  • Be suspicious.  If you receive an email from a friend that doesn’t sound like them, could it be a virus?  Any attachment on an email, if unsolicited, will be a virus.  If you see some unusual files on your computer that seemingly came from nowhere, don’t click on them.  Wait a few days (if they are a virus, your AV should pick them up eventually) and if you are sure you don’t need them, delete them.
  • Secure your passwords.  Password crackers run through long lists of common words, so it is best to choose a password that is unique and complicated.  Use long passwords with numbers and a couple of symbols.  Don’t use the same password for multiple accounts.  If you find it hard to remember passwords (like me), use a password manager.  However, I am of the paranoid type so I use a Word file within a Truecrypt encrypted container with a huge password on it.  I can remember one!
  • Don’t give out your passwords to anyone.  ANYONE.  Even if you trust that person, don’t send your credentials via email or text, or over the phone.  Tell them verbally and quietly if you must tell them.
  • Don’t allow anyone to “fix” your computer.  A lot of scammers call up people and claim to be Microsoft, saying that a computer is infected and that it needs fixing.  Seriously; I go into an Apple store to ask them to fix something and they won’t without payment, so how likely is it for a big company to offer to fix your unknown problem for free?  My advice is to keep them talking for as long as possible then hang up.  Or just hang-up.

Finally, if you are using your computer and it starts acting strangely, SWITCH IT OFF.  Then get an IT pro to take a look.  A powered-off computer is a safe computer, remember that!


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.