Imaging my surprise when, recently, several bit of malware, including a backdoor/trojan, infected one of my Windows machines. It was entirely my own fault since, in a rush to get a job done, I opened an unfamiliar site without taking any precautions.
I knew immediately that something had gone terribly wrong, although I wasn't quite certain what had actually occurred. It involved Adobe software and I had gotten complacent about compatibility errors because I was not current to the latest version of Acrobat Reader. It was about an hour later that I knew what had happened and that my day was about to be ruined. Afterward, when I reverse engineered the sequence of events that led to the infection, I was able to discern just how the exploit worked. It's interesting in a way so let me take you on a brief tour of the steps.
- The server with the news story I wanted to read had been compromised to serve files that contained the malware.
- The infected file was given a .pdf extension so that it called up the Acrobat Reader browser plug-in to process it.
- The old version of Acrobat Reader has a security hole that allows remote execution of unvetted code.
- Several pieces of malware were installed using this security hole, including at least one that it subsequently downloaded from a server that hosted malware.
- The malware started running and phoning home, doing who knows what. I stopped this immediately by stopping the processes and disconnecting from the internet. Unfortunately, the malware kept starting up again. This is pretty typical.
It took a bit of digging, but it was possible to find and excise most of the malware component using nothing other than file searches. Where I hit a wall was with inside that pit of obscurity, the Windows registry. I knew the malware was still hiding in there, able to reactivate itself, but I could do little with the regedit tool without special knowledge. This step required one of those freeware tools for finding and surgically removing malware from the registry.
One tool that is absolutely useless in this regard is Microsoft's own MSRT software (Malicious Software Removal Tool). Never in my experience has MSRT found malware on my computers; it can identity only a small number of malware variants, and seemingly never those that are actually circulating.
In any event, the malware tool I selected had no trouble finding and repairing every infected registry entry, and even located an infected file that my own efforts had missed. That PC once again has a clean bill of health and is humming along ever so quietly, undisturbed by uninvited software.
It just goes to show that even someone with software expertise and safe computing practices can fall victim to malware. The many benefits of the internet are not enjoyed without continued vigilance against its bad actors.
No comments:
Post a Comment