THIS IS NOT AN OFFICIAL DOCUMENT OF THE UNIVERSITY OF BIRMINGHAM
OR THE SCHOOL OF COMPUTER SCIENCE. NEITHER THE UNIVERSITY NOR THE
SCHOOL HAS ENDORSED THE OPINIONS EXPRESSED HERE.
After circulating a version of the notes below to colleagues I thought I would make them
more widely available, in case they are of use to others. Maybe the following will be of
use to poor sods who have to use MSWindows and find their machines infected.
Ignore this if you never use Windows and never will.
Unless you are a Linux/Unix user and just want to gloat!
After writing this web page I noticed this news item on the BBC web site, which is about the problems described here: 'Boom year' for hi-tech criminals (BBC News Sunday, 28 December 2008)
What I learntMy wife uses an excellent Orienteering map-making package, OCAD, which runs only on Microsoft Windows, so she has to put up with Windows (XP) instead of Linux, which would be very much easier for me to look after, and along with Firefox, Thunderbird, and OpenOffice would meet all her needs apart from OCAD. But making orienteering maps, and using them for planning orienteering courses, etc., is one of the main things she uses her computer for, so she has to run Windows, alas. Since she is not interested in computers except as useful tools and does not wish to get into system administration I have to help her with problems running XP, upgrading software, etc. The one-eyed sometimes has to lead the blind. I am a windows novice (I dislike its interface so much for reasons given here, that I use it as little as possible). Tim Kovacs pointed out to me that Ocad8 works with Wine on linux. I may try that some day, though my wife is using Ocad9, and I am not sure she would feel comfortable switching between virtual operating systems. Recently it became clear that her machine, although it is behind our shared firewall, and has the highly recommended Kaspersky anti-virus package installed, with regular updates and regular scans, had become infected and was in the grip of some malware that popped up windows, mostly full screen, perporting to be "Internet Explorer" windows (although she never uses IE, only firefox, except for installing microsoft updates). The popup windows advertise various products, especially windows maintenance and protection products. Some of the intrusions report alleged system corruption that "urgently" needs to be fixed by clicking on a link, and various other advertisements, often related to what had been viewed recently on firefox. I assume that clicking where indicated on the panel (even a 'Cancel' button) will send a message somewhere, which may or may not do you harm. It may just get somebody advertising revenue. In our case there was no evidence of any harm done, apart from the nuisance value, which was very high. Asking Kaspersky to run a complete scan of the system produced no information, so I asked others for help. Since people on the Birmingham Linux User Group email list are very helpful and very knowledgable (many are professional software developers or maintainers) I asked them for help, as well people on our local department 'advice' email lsit. I received quite a lot of advice and help, but it still took many hours over about three days (including much late night work) to get the problem squashed. I am posting this web page in the hope that others can get help faster if they find it.
But the pop-ups continued: Spyware Doctor had failed.Very soon I learnt that there is a type of computer infection that has various names "malware", "adware", "spyware", "keyloggers" using "worms" and "trojans", distinguished from "viruses" because they do not replicate and spread themselves. For a useful introductory overview see this wikipedia article: http://en.wikipedia.org/wiki/Spyware Moreover, I also learnt that very large numbers of people have these infections and there are many requests for help in many online forums, often resulting in well-meant but inadequate advice being handed out. The problem seems to be escalating fast. So very many people need help, and of course, the suppliers of snake oil can make money out of those infected. One of the nasty things I discovered is that there are lots of web sites purporting to give expert technical information about the problem, or purporting to review removal software. The latter tend to list a few packages, give them star ratings and provide links, apparently on the basis of authoritative knowledge and 'extensive testing'. But details of the tests are not presented and many of the reviews seem to be nothing more than advertising sites which presumably get revenue every time a reader clicks on a link to one of the recommended packages. I doubt that many of them have the resources to do the extended comparisons required, including setting up infected machines and testing the several patterns of infection with different tools. I suspect all some of them do is read the suppliers' lists of features and reword what other reviewers have written. Another nasty thing is that all of the packages I learnt about offer free downloads and free scans, but nearly all of them fail to make clear that after doing a scan they can present you with a list of potentially serious infections and the option to neutralise them but only if you purchase a licence for the product. Even if the websites do mention that the free version merely does a scan none of these review sites, nor the most of the supplier web sites tell you how much it will cost you to use the product to deal with infections detected. So the gullible user downloads a product, invokes a scan and then is scared into buying a licence immediately, discovering only then how much it will cost. That happened to me with Pctools Spyware Doctor, which I had seen advertised by users on an email list who had used an older free version which provided both scans and removal (presumably to build up a reputation). It was also highly recommended in an apparently reputable publication. So after trying a free package (AVG Malware tool), which did a scan and removed what it found, but had no effect, since the annoying popups continued, I tried Spyware Doctor. It claimed to find two trojans and a collection of related files and offered to remove them provided that I purchased a licence. It did not state in advance what the cost would be: I learnt that only at a fairly late stage, and thought a cost of £29 for a one year subscription would be good value, since the tool seemed to find more than Kaspersky or AVG. I clicked on the disinfect button, and was pleased to see that it claimed success.
Towards the solution.Running the scan again, a few minutes later, showed that it reported exactly the same infections as before. I.e. either the claim to have removed them was fraudulent or, more likely, the package had found only a symptom not the cause of the problem. The cause was apparently somewhere else on the machine and quickly replaced the removed files. I also strongly dislike the subscription policy of PCtools: once you have purchased their software, they retain your credit card details and you will by default be charged for a renewal subscription after 12 months. Fortunately, an email complaint after purchase brought a reassurance that they would not charge me again without first asking me. But they did not assure me, as requested, that they would delete my credit card details from all their files. DO NOT BUY ANYTHING FROM THEM. The pop-ups apparently run internet explorer, even though IE was not being used on the machine -- only firefox and thunderbird, except for MS updates, which require IE.
Solving the problem (I think)The problem has finally been conquered, I think, but it seems to have required several different tools each fixing part of the problem. Fortunately the best ones seem to be available free, including one from Microsoft. (Some that used to be free now only give a free scan.) One option proposed was running XP in 'safe mode'. A colleague recommended running Bart PE for this purpose. http://www.nu2.nu/pebuilder/ Kaspersky (who provide our virus checker) also recommend the PEbuilder and provide a script for using it to build a system restore tool that includes Kaspersky stuff. I built bootable CDs with and without the Kaspersky extras included, but it turned out that I did not need to use either (not that I would have known what to do once I had booted in safe mode. I am not a windows user -- and don't want to learn how to be one ....) After wasting money on Spy Doctor I did not wish to try any other of the plethora of 'highly recommended' packages that allow you a free download and free scan -- then require you to pay in order to fix what is found by the scan. The free AVG malware tool found one thing and removed it, but that made no difference to the adverts popping up (apparently launching internet explorer to do so). So as a first step I strengthened the protection level of our installed Kaspersky package by selecting more of the options beyond the recommended default settings that had previously been running. That had the effect of constantly producing Kaspersky popups saying one thing was trying to do something to another. Eventually I learnt that most of them were harmless and selected the option to add new 'exclusion rules' for those modules, though sometimes the program names or module names gave me no clue as to whether they were harmless or not. This may have helped fight the self-regeneration of the malware after some of their files had been removed: I really don't know. But they really should provide a popup that helps naive users (like me) take informed decisions. In fact they should give a recommended decision, e.g. if the software triggering the event is a known package, then add it to the 'allow' database.
Continuing defence -- and its annoyancesEventually, after a lot of searching, and a failed attempt to get microsoft Defender to run (it claimed I did not have a genuine version of XP, even though I bought XP with the machine), I discovered a new free version of a microsoft package that could be run from firefox, 'onecare live' (linked from a microsoft web site): http://onecare.live.com/site/en-US/default.htm [Apparently it used to be available only at a cost but was recently made available free.] That scanned the whole computer, took a long time, found a lot of suspect items that Kaspersky AVG, and Spyware Doctor had failed to find, and gave me the choice whether to fix each of them. Since I did not understand most of the options I chose them all anyway, and the popups seemed to become a lot less frequent after that. After that, I ran the free Microsoft Malicious Software Removal Tool suggested by a colleage, available from Microsoft windows-kb890830-v2.5.exe It also took a long time, but found nothing new. Perhaps it uses the same rules as the "Onecare live" package, which had already removed what it had found? But there still seemed to be problems. E.g. after rebooting I got panels coming up complaining about not finding two of the .dll files that had been removed, (harivisa.dll and jotejiho.dll). I felt something was trying to restart malware. After more googling I stumbled across this: Malwarebytes' Anti-Malware (MBAM) http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html http://www.malwarebytes.org/mbam.php Unlike most of the others, it tells you there's a free version (for personal use only) that will find AND fix a class of problems. It tells you the cost of the full licence in advance (only US$24 -- quite a lot less than the others I looked at). The full version of mbam has a one time fee instead of an annual fee like the others. On CNET there were lots of very favourable reviews of that package: more than I had seen for any other malware tool. Most of the others had only reviews that seemed to be disguised adverts for a group of tools. I let mbam do a full scan, and it found several more things to remove, including suspicious browser cookies. (It divided them into different classes, making it easy to select the ad-related ones to remove.) After that, rebooting no longer brought up the requests for missing .dll files, and everything works as intended, and booting is faster. So I assume that the problem was solved, and in our case required only two totally free tools: The "Onecare live" package Malwarebytes' Anti-Malware (MBAM) Of course, you may need something different! But I suggest you try these before any others. However, I suspect that the solution may have been partly a result of strengthening the level of proactive defence by Kaspersky, which may have prevented some residual, still undetected, piece of malware from doing its stuff.
Why do Linux users suffer less than Windows users?I assume I shall have to run the above two scanners at regular intervals. I have left Kaspersky's proactive defence mechanism running, which includes a registry guard, suspicious activity detector and intrusion guard. The annoying thing about that is that it keeps detecting things and asking whether to allow them or not, and whether to change the rules to allow them permanently -- without giving enough information for a novice to decide what to allow. So I had to guess that most of them were safe and could be allowed permanently. So the Kaspersky popups are now very infrequent. I had to turn off Kaspersky's web traffic monitoring as it had a huge impact on speed of browsing, though it still scans incoming and outgoing mail. How was the machine originally infected I wonder? We have a communal firewall on our router, and I had hoped that plus the Kaspersky system would be enough. Apparently not. Perhaps I should have upgraded Firefox to version 3 earlier -- I waited till a few weeks ago as I wanted to make sure it was stable enough for my wife, a non-expert, who is annoyed by changes in the software she uses. The way Firefox handles suspect certificates is really unhelpful for a novice who needs to accept some things and reject others but doesn't know how to distinguish them. The popup should give more positive hints as to how to decide whether to accept or not, instead of recklessly terrifying everyone about everything. (No doubt the people who designed that piece of software felt they were contributing to improved security. They did not consider what would happen once people learnt the procedure to allow something they knew was safe and really wanted. Good software designers also need to be good psychologists, but programmers rarely are.) IE now seems to have copied that unfortunate behaviour. I hope this information is of use to someone.
It is often said that the main reason why linux does not have so many problems is that it is much less widely used, so that it's not worth while hackers attacking it. I suspect another reason is that from the very start unix was designed as a multi-user system (e.g. we had simultaneous users running on a DEC PDP11/40 with unix in 1976 at Sussex university) so that a privilege structure was there from the beginning, although it has never been as sophisticated as the one in VMS (which offers far more levels of privilege) and some earlier operating systems, e.g. ICL george 4, multics. Two crucial things on unix/linux are: an ordinary user cannot accidentally allow system files to be changed (e.g. without using sudo), and an ordinary user does not need to be superuser to install a runnable program -- which does not have full system privileges. So people can install minor goodies without requiring administrator privileges. It took Microsoft around two decades to understand that just because a PC allows one user at a time (unlike unix/linux machines that allow multiple logins) it does not follow that it is a single user machine. In schools, in businesses and in homes, each PC could be used by different people at different times, with different needs, and different levels and kinds of expertise. So from the start, or soon after, security should have been a major consideration in Windows. They should have learnt from unix and later linux. If they had not been associated with IBM in the early days, nobody would have taken their junk seriously. Of course, they did eventually learn, after disastrous results of connecting millions of poorly designed PCs to the internet which they failed to understand. Later they managed to employ some really intelligent people after they became really rich. But those people had to struggle to improve a really terrible system. It was a heroic struggle, with notable results, but I suspect millions of users still have to live with consequences of the poor initial design. Of course, MacOS is essentially unix/linux.
School of Computer Science
The University of Birmingham
With thanks to Alison, for her forbearance and patience, and thanks to all who sent me suggestions.