Yesterday night I got my first malware infection from the Internet. Here’s what happened, step by step:
- I was reading a discussion on LinkedIn, trying to get user opinions on a particular ISP in Poland.
- Some user had posted a link to a website which maintains a ranking of Polish ISPs. I followed it.
- I was transported to a pretty normal-looking website with information on ISPs, user ratings, etc. (I’m not going to post the link here, but I did report it to Google and BadwareBusters.)
- Soon after I started reading the page, I noticed that my browser (Firefox) started downloading some PDF file. I attempted to cancel the download, but the file was small, so I didn’t manage to do it in time.
- The file automatically opened in Adobe Reader 8.2, my PDF viewer of choice. (more on that later)
- A few seconds later, I was greeted with this:
This wasn’t just one of those annoying popups that you can simply close. My PC was completely taken over by “Live Security Platinum”, which, as I later found out, is a fake antivirus which tries to convince you that your computer is infected with a bazillion viruses and get you to pay for the “full version” of the “software”. It adds itself to the Windows Registry, sends unknown data over the network, keeps displaying annoying balloons in the notification area, and when you run Task Manager, it immediately closes it so you can’t kill it. It also reconfigures your proxy settings to keep you from running Google searches to find a solution and prevents you from running certain antivirus applications. Most annoyingly, it permanently removes several crucial Windows services like Windows Update.
Lessons learned / Advice
- It’s quite possible to get your PC infected just by browsing the Web – even if you never click on any suspicious links, download suspicious software, or visit shady websites. (Incidentally, I had visited tons of what would be considered shady websites before – be they porn sites, hacking sites, pirate sites – you name it, I’ve been there – and never got infected. Go figure.)
- Disable all the plugins that are not absolutely necessary. You may need Flash, but do you really need Quicktime, Silverlight, Java and Adobe Reader? (Remember that plugins can be temporarily re-enabled as needed.) Each plugin is one additional way for malware to gain control over your PC. All it takes is a plugin that hasn’t been updated recently and a malicious (or simply hacked) website that redirects you a cleverly written Flash animation, Java applet, video clip or PDF document.
- If you have to use a plugin, at least make sure it gets updated regularly. Don’t ignore those Flash updates!
- Make sure your browser doesn’t automatically open files in external applications, especially popular and rarely updated applications. With automatic opening of files, a web page can easily make your browser download a file and then immediately open it in an external application. If that external application has a security hole, it could allow the attacker to install malware on your system. Set up your browser to always ask you before opening a file. (In Firefox, you can change the behavior in Options|Applications.)
Why the hell were you using Adobe Reader?
Well, I had been using FoxIt Reader, but I switched to Adobe because FoxIt occasionally had difficulty rendering PDF files.
Why were you using such an old version of Adobe Reader?
Because it worked faster than the newer versions. I guess I didn’t think of the fact that old Adobe Reader versions have vulnerabilities that could be exploited by a website I visit.
How did you remove Live Security Platinum from your computer?
Well, it wasn’t easy. When I typed “live security platinum remove” into Google, all I got was a ton of shady-looking keyword-stuffed sites, all of which tried to get me to purchase or at least download some malware removal software. I literally couldn’t find a single reputable-looking resource on the topic. Not a word from McAfee, Kaspersky or Avast. How was I to know that some app called MalwareRemover or TrojanKiller wasn’t going to mess up my system even more?
In the end, I followed the manual removal instructions given here (near the bottom of the page). That way, at least I could verify each step separately.
Once the malware was removed, I was in for a nasty surprise. Live Security Platinum had removed a number of crucial Windows services like Windows Firewall and Windows Update. By “removed”, I don’t mean that it simply disabled them – I mean that they did not even appear in the Services console. How do you reinstall a basic Windows component? I decided that the simplest way out was to use System Restore to bring my system back to the state it was in 4 days earlier. Thank goodness I had a restore point that I could use.