Yesterday night I got my first malware infection from the Internet. Here’s what happened, step by step:
- I was reading a discussion on LinkedIn, trying to get user opinions on a particular ISP in Poland.
- Some user had posted a link to a website which maintains a ranking of Polish ISPs. I followed it.
- I was transported to a pretty normal-looking website with information on ISPs, user ratings, etc. (I’m not going to post the link here, but I did report it to Google and BadwareBusters.)
- Soon after I started reading the page, I noticed that my browser (Firefox) started downloading some PDF file. I attempted to cancel the download, but the file was small, so I didn’t manage to do it in time.
- The file automatically opened in Adobe Reader 8.2, my PDF viewer of choice. (more on that later)
- A few seconds later, I was greeted with this:
This wasn’t just one of those annoying popups that you can simply close. My PC was completely taken over by “Live Security Platinum”, which, as I later found out, is a fake antivirus which tries to convince you that your computer is infected with a bazillion viruses and get you to pay for the “full version” of the “software”. It adds itself to the Windows Registry, sends unknown data over the network, keeps displaying annoying balloons in the notification area, and when you run Task Manager, it immediately closes it so you can’t kill it. It also reconfigures your proxy settings to keep you from running Google searches to find a solution and prevents you from running certain antivirus applications. Most annoyingly, it permanently removes several crucial Windows services like Windows Update.
Lessons learned / Advice
- It’s quite possible to get your PC infected just by browsing the Web – even if you never click on any suspicious links, download suspicious software, or visit shady websites. (Incidentally, I had visited tons of what would be considered shady websites before – be they porn sites, hacking sites, pirate sites – you name it, I’ve been there – and never got infected. Go figure.)
- Disable all the plugins that are not absolutely necessary. You may need Flash, but do you really need Quicktime, Silverlight, Java and Adobe Reader? (Remember that plugins can be temporarily re-enabled as needed.) Each plugin is one additional way for malware to gain control over your PC. All it takes is a plugin that hasn’t been updated recently and a malicious (or simply hacked) website that redirects you a cleverly written Flash animation, Java applet, video clip or PDF document.
- Disable Adobe Reader and replace it with a built-in PDF viewer (both Chrome and Firefox have one). If you can’t do that, at least replace it with a less popular viewer like FoxIt Reader (less popular software is safer because the bad guys always focus on software with the largest user base).
- If you have to use a plugin, at least make sure it gets updated regularly. Don’t ignore those Flash updates!
- Make sure your browser doesn’t automatically open files in external applications, especially popular and rarely updated applications. With automatic opening of files, a web page can easily make your browser download a file and then immediately open it in an external application. If that external application has a security hole, it could allow the attacker to install malware on your system. Set up your browser to always ask you before opening a file. (In Firefox, you can change the behavior in Options|Applications.)
FAQ
Why the hell were you using Adobe Reader?
Well, I had been using FoxIt Reader, but I switched to Adobe because FoxIt occasionally had difficulty rendering PDF files.
Why were you using such an old version of Adobe Reader?
Because it worked faster than the newer versions. I guess I didn’t think of the fact that old Adobe Reader versions have vulnerabilities that could be exploited by a website I visit.
How did you remove Live Security Platinum from your computer?
Well, it wasn’t easy. When I typed “live security platinum remove” into Google, all I got was a ton of shady-looking keyword-stuffed sites, all of which tried to get me to purchase or at least download some malware removal software. I literally couldn’t find a single reputable-looking resource on the topic. Not a word from McAfee, Kaspersky or Avast. How was I to know that some app called MalwareRemover or TrojanKiller wasn’t going to mess up my system even more?
In the end, I followed the manual removal instructions given here (near the bottom of the page). That way, at least I could verify each step separately.
Once the malware was removed, I was in for a nasty surprise. Live Security Platinum had removed a number of crucial Windows services like Windows Firewall and Windows Update. By “removed”, I don’t mean that it simply disabled them – I mean that they did not even appear in the Services console. How do you reinstall a basic Windows component? I decided that the simplest way out was to use System Restore to bring my system back to the state it was in 4 days earlier. Thank goodness I had a restore point that I could use.
anon Aug 4, 2012 at 3:32 am
Browsing didn’t infect you. MickeySloth’s desire to have everything happen for you “automatically” is what infected you. Had your browser not “helpfully” opened the downloaded .pdf automatically in adobe reader, you’d never have been infected.
Jesse Aug 4, 2012 at 4:36 am
You should not be afraid of browser plugins. Rather, you should be afraid of running internet-facing applications (web browsers, instant messengers, email clients, etc.) with administrator privileges. To improve the security of your computer, read and use the information here: http://www.symantec.com/connect/articles/reducing-browser-privileges
Jacek Aug 4, 2012 at 8:00 am
After an infection like this you can never be sure if there isn’t some rootkit left in your system. Many security experts recommend reinstalling the operating system and starting over from scratch after getting compromised.
Tomasz Aug 4, 2012 at 2:52 pm
Yeah, I’m still a bit worried. But I used System Restore and checked my system with GMER, which is supposed to be very good.
nuclearivan Aug 9, 2012 at 10:38 am
you know you can always opt for doing all your browsing through a virtual environment you can run any internet browser of your choice in the OS you like hasslefree and if youre using the seamless mode it will essentialy look and act as a separate window but this way even if things get nasty while surfing the web you can rest assured some virus shit wont fuck up your main os plus its relatively easy to backup stuff personally im running a linux mint copy using a fine piece of software called virtual box and my default os is win7
latinsud2 Aug 28, 2012 at 10:05 pm
That’s why Chrome warns you before using Java or PDF.