Security Fix Live
Friday, November 20, 2009; 11:00 AM
Security Fix blogger Brian Krebs was online Friday, Nov. 20, at 11 a.m. ET to answer your personal technology questions and offer ways to protect yourself from online security threats.
Brian, who considers himself a well-rounded geek, can also field queries about broader technical topics, such as mobile banking, online and location-based privacy, as well as social networking and tech policy issues.
Brian Krebs: Good morning, dear Security Fix fans, and welcome to Security Fix Live! Good crowd today, so I'll jump right into the questions in a second, but first -- the obligatory plea: For those of you who haven't already submitted questions, please folks give me a clue or two about your basic setup, such as operating system (Windows/OS X), version (XP, Vista, W7, etc), any installed security software, browser o'choice...you get the drift. Be as specific as you can. That will increase the likelihood of my dishing out the most accurate response/advice. With that....ONWARDS!
Washington, D.C.: What has been your impression of Windows 7 so far? The GUI looks clean, and its embedded 64 bit DEP is considered a strong deterrent to malware...
Brian Krebs: W7 is definitely clean and pretty. The coolest part of the interface in my opinion is the taskbar, which shows you the entire window of an open program when you merely hover over its icon in the taskbar. This is even cooler if you have multiple monitors. I don't like how MS has once again moved around the location of various system settings. I've probably spent a small portion of my time since I've upgraded on actually looking for system settings or folders, although the improved system search function usually does the trick pretty quickly.
MS has done some serious work to make W7 the most hardened operating system it has ever built, and I think they have done a very good job of that. Not saying the OS will be impervious to malware: No OS is, and W7 is far from perfect. But from where I sit it's about making it harder for a regular user to do the wrong thing. W7 seems a bit less annoying in the notification department, and in any event users can now control that to some degree. I'm hoping, however, that users simply don't turn off, user account control, because for most regular users that's a big part of the security on W7. Other improvements, as you suggest, with things like 64-bit data execution prevention and memory randomization go a *long* way toward making it less likely that the usual Windows exploits will work on Windows 7.
Eugene, Ore.: Brian, Yahoo mail scans incoming attachments for viruses. Is there malware out there that can still slip past their scans and foul up my computer?
Also, years ago we were warned not to enable graphics to be seen in our incoming email, due to transparent gifs or something. Is that still an effective remedy for....whatever?
Thanks for the chats!
Brian Krebs: An effective defense involves maintaining several layers of security, and not counting on any one of them alone to save your bacon. I'm not familiar with the exact setup Yahoo uses to scan incoming malware, but it's probably not too different from what you would use if you were to scan it yourself: a single anti-virus product that may or may not be able to detect the latest malware out there.
My advice about enabling graphics in email still stands: I don't think it's a great idea. For one thing, HTML/Web code embedded in e-mails can give the sender lots of information about you, such as whether and when you opened the email, how long you looked at it, whether you forwarded it on. Then there are considerations that allowing HTML code to render automatically in e-mail also allows any embedded scripts to run as well, and these could include instructions to pull down malware from a third-party site.
Lots of people will argue with my advice on this, and that's fine. And it's true -- using Webmail sometimes makes it awkward to take the Web out of the mail, although most Webmail providers have a setting that lets you turn off HTML and/or just read your mail in plain text. Obviously, some emails sent by companies you already have a business relationship simply won't display properly without allowing HTML, but most email providers will allow you to view HTML images after the fact, or creating a whitelist of senders allowed to send HTML mail by default.
I hope that helps.
Wintersville, Ohio:Brain, I am using Microsoft's Security Essentials anti-whatever on an eMachine with Windows 7 Home Premium. I have it set to scan the hard drive daily. If I need to do an on-demand scan of a file while the daily scan is in progress I am not sure what happens. I right click on the file and select Scan with MSE. The MSE window pops up, shows its progress with the hard drive scan but leaves me wondering if it has scanned the lone file. Do you know if it scans the file immediately, puts it at the end of the line or just ignores the on-demand request? When it is not scanning the whole drive the on-demand request is met promptly with a window telling me the file has been scanned and gives a report. I cannot see any way to pause the whole drive scan to do just the single file.
Brian Krebs: When I tried what you just explained, MSE told me that another scan was in progress, and to wait until the full system scan was finished.
People often ask what the difference between free and pay anti-virus software is and whether AV software that is not free is any better in detecting malware than its free alternatives. Here's a good example of that difference: There are a lot fewer features, options, and configuration settings in free AV software, generally speaking (AVAST's excellent free offering may be among the top exceptions here).
By default, MSE I believe is set to scan at 2 a.m. local time. If you have changed that setting, maybe the thing to do is change it back to an early morning hour.
Princeton, N.J.: I'm concerned about the trustworthiness of the hardware and components in any computer I buy. Is there any way I can be certain my computer has not been breached at that stage? And in the basic operating software that is initially installed?
Brian Krebs: What you're asking is a very hard thing to verify. If someone at a factory in China that makes microchips wants to build a backdoor or malware into a component that gets put into a computer that's sold later at a big box retailer, there's little if anything you could do to detect that. There is probably precious little that securiity software or even top security experts could do to detect such a fundamnetal compromise. Same goes with the operating system: If it somehow shipped in a compromised state, you'd be hard-pressed to ever find out about it.
I'm sorry, I realize that probably doesn't make you feel any better, but I'm just trying to answer your question honestly.
Bethesda, Md.: Submitting early. One of our home laptops was infected with a virus that automatically went to sexually explicit websites. We think it is cleared off now. But how do we make sure that the laptop is not a part of bot-net i.e. each stroke is being recorded and monitored by someone. I'm not a computer expert so a remedy in simplistic terms will be greatly appreciated.
Brian Krebs: How do you make SURE? The only way I know of to make sure is to back up your data and nuke the system, starting over again with a fresh install. I realize this is not the most convenient thing to do, but it is the best way to be sure you have completely eradicated an infection. Plenty of people will quibble and say, oh, that's overkill, you can download such and such software to get rid of threats, and you'll be fine. Maybe. But you asked how to be sure.
If you ask a computer professional, someone who gets paid to clean systems, they will tell you the same thing: back up your data, find your installation disk, start over, patch it after install, get your programs back on there.
Arlington, Va.: I enjoy the Security Fix blog. You have had some recent horror stories in the blog. For example, businesses that lost money from their bank accounts because of spyware that got into their systems. Every time I read one of those stories I wonder what kind of web sites these people have been visiting that they downloaded such malware. I have never heard someone say "I was on washingtonpost.com the other night and my computer is ruined because of malware I got from the site."
I currently use XP (fully updated), Windows firewall, Avast!, Firefox no script. I have been using the internet on a daily basis for more than a dozen years and have never had a significant problem with viruses or malware. Would you say I have just been lucky or is it more because I only visit safe sites?
Brian Krebs: Thanks for the kind words. I would say you have had some good luck, but it's probably more due to the fact that you pay attention to the risks, have taken some sensible precautions, and are using your head. That combination is sufficient to keep most folks out of trouble. It's often only when you let your guard down or do something stupid that flies in the face of the best advice that trouble finds you, such as (1) downloading software of dubious origin, failing to update browser plug-ins, or 2) updating them from anywhere but the original source (see item no. 1).
Noscript (and its cousin, Request Policy) may not be for grandma, or for people who can't be bothered to approve scripts on a per-site basis -- and I get that, I really do. But it is awfully effective at blocking Web based malware attacks (for example, are you likely -- when browsing to a site -- approve a blocked script that says allow 69.243.x.x? I hope not. That's what you'd see most times if there were a malicious script injected into a hacked Web page.).
Faceville, Ga.: I use Hughes for the Internet and with their Fair Access Policy I am severely limited on large downloads. What program can I use that will schedule downloads in the early morning when they have a free download period?
Brian Krebs: What downloads are you talking about? Anti-virus updates? Microsoft Updates? Both should have options to let you choose when the default download times are, although bear in mind that most AV software now is designed to download updates multiple times throughout the day in order to stay up to date, so that may not be the best approach there.
Are your downloads metered or do they cost more depending on the time of day you download? If not, what difference does it make when you download stuff?
Venice, Fla.: Recently when my computer (running Windows XP) starts up, there is a box in mid screen showing that a because of an error , module wind/32 Rundll morugawe.dll can not be loaded. There is a very large X along with this in addition to the normal x in the corner of the box along with a small ok box. Also on my area indicating normal programs used daily such as Internet Explorer,etc., there is a box "RUNDLL" I know that this is a virus but do not know how to get rid of it without clicking on it and thereby installing it on my computer. Although, it must already be on the computer because when I put it on power dawn it indicates that there is one program runnung. My normal McAfee scan and update installations have not corrected it. I can't find this on the Microsoft web site, although it is addressed on Google sites but I don't know which ones of those to trust. Hope that this is not too wordy and that you can help me. Thanks.
Brian Krebs: Ack.
You have a nasty Trojan (or at least a core component of it left behind that McAfee couldnt' fully remove) called Virtumonde, a.k.a Vundu. This sucker has been around in a millioni forms for many years, and is quite tenacious.
Self-help forums are your best bet for this. In fact, one of my favorites -- BleepingComputer.com -- has an entire how-to page on removing this bugger, complete with instructions and links to the necessary removal tools. Check it out
. Follow those instructions, and you should be good.
Washington, D.C.: I have a comcast hgigh speed internet line and use non-wireless hookup only. Can this be hacked by others in my apt bldg or anyone else? I use a Mac.
Brian Krebs: Other customers on your local network segment may be able to see basic "hello, I'm here" type requests that your computer makes across the cable provider's network, but that's about it. You should make sure that the Mac's built-in firewall is switched on. Rest easy.
Livingston, NJ: I receive messages in one of my Yahoo mail accounts that are purportedly from me but are fraudulent. I have asked Yahoo to fix the problem but they do not seem to be able to do it. My account at MSN works fine, as does another account I have at Yahoo. I use up-to-date malware protection on both XP and Vista and they give me a clean bill of health. I have heard from no one that they have received spam from me. Is my computer infected or is the problem at Yahoo?
Brian Krebs: I suspect one of two things has happened. Someone is using your e-mail address in the "from:" field of junk e-mail they are sending, and some of the recipients of those messages are not valid email addresses and you are merely getting the bounce back messages. See:
Perhaps you meant that someone is actually sending out messages to your contacts, pretending to be you? In that case, it is likely that your Yahoo! credentials were compromised in a phishing scam.
You might consider changing your Yahoo! password and seeing if that stops the madness. Good luck.
Tampa, Fla.: I recall that prior discussions touched on using a live DC to avoid malware. That is, boot up your PC on, say, the latest Ubuntu Linux live cd, and then do all your on-line banking.
Would not this prevent any and all malware from infecting your machine? Could using a live CD allow you to visit any site, regardless of any malware it might try to load on your machine?
Brian Krebs: Yes, almost certainly it would prevent 99.999 percent of Web based malware from attacking or infecting your machine (I cannot say with certainty that there aren't threats that would compromise a Live CD, hence the .0001 percent missing, but it's not very likely).
Anonymous: Your web site last week carried a chilling AP story about people who have been prosecuted and sometimes convicted for having child pornography on their computers that was downloaded by viruses unbeknownst to them. In one case a computer was programmed to bounce among porn sites 40 times per minute. In some cases computers were deliberately sabotaged by others who had access to them. But prosecutors operate with the general premise that you are responsible for everything on your computer, and trying to prove otherwise can cost many thousands of dollars. I understand basic advice about protecting your computer: keep AV programs current, work in non-admin status, etc. But sometimes bad stuff gets through, and even if you find a virus or some other problem and eliminate it, images that have already been downloaded will remain. What is the best way to search for material on your computer that doesn't belong there, even if malware or a malicious user was trying to hide it, and delete it irretrievably?
Brian Krebs: There are several different questions in your query. One has to do with finding images, cached Web pages (I think) and the other is a more general anti-malware question.
Interestingly, some of the best tools for finding images and other cache Web content also are some of the best way to make sure stuff you don't want to get saved or cached on your system gets copied and saved. I'm talking about things like Google Desktop. Sure, you can tell Google Desktop not to save copies of Web pages or images you've viewed, but then there goes a big portion of its usefulness.
Depending on which version of Windows you're using, Windows itself may actually be a good way to find these types of things. Windows 7 and to a lesser extent Vista includes some pretty powerful search functionality that makes it somewhat easier and faster to search for specific file types (for example, you could type in *.jpg) to search for .jpg images on the directory or drive you're currently in.
The most reliable way I know of to find malware on an infected system is to run a scan on it using something that is not dependant on the underlying operating system to tell the truth or detect a problem, since that underlying system may already be compromised and instructed to disable, cripple, lie to or otherwise deceive other installed software (including AV software).
To that end, an online anti-virus scan might give a better, more objective second opinion. ESET, F-Secure, BitDefender, and several other AV vendors offer free online scanners that can remove malware. F-Secure offers a free Blacklight tool that does a great job scanning for and removing "rootkits," which are designed to hide the presence of malware on an infected system.
But to be completely sure, your best bet is to load the system using another operating system entirely. For example, several different "Live CD" distributions come with anti-virus tools built in that will let you scan the underlying hard drive for any malware and remove the files. Something like LinuxDefender is one such option, but there are many, many others.
MS Essentials: Brian,
Hi. I have Vista with all the up to date service packs/fixes.
My McAfee renewal was up so I unistalled and installed the free MS Essentials. Though I have to do manual updates (bug with MS Essentials), I think the program so far and it appears they have embelished the software Firewall capabilities.
Have you heard of any recent cons to running this free program?
Brian Krebs: Not really, but then again I wouldn't stand for an anti-virus program that made me update its malware definitions manually. What bug are you referring to exactly?
Unless you can quash that bug, I'd recommend switching to something like AVAST! Having to manually updating AV software in this day and age is insanity. You don't and shouldn't have to put up with that. There are other options.
Vancouver BC: Hi Brian
Thanks for all the great advice week after week btw!
I have a older P4, with XP and SP2....my puter was booting up just fine, except as I was cleaning the keyboard a bit, it must have tried to download SP3 which I had kept at bay like forever. Now it does "unmountable_boot_volume" and despite all the online troubleshooting and fixes I try, I can not even get to safe mode. No way to adjust caching or shadowing in BIOS, and the XP disc never gets to "settings" for me to chkdsk/r ...it just wants to do a clean install. Any ideas, please and thank you.
Brian Krebs: Ugh. Very sorry to hear about this. It may be a corrupted sector or two on the disc, or a more serious problem with the hard drive itself.
Have you got the XP installation disc handy? If so, try this (from Microsoft's instructions on what to do when this error appears):
1.Insert the Windows XP CD-ROM into the CD-ROM drive, and then restart the computer.
Click to select any options that are required to start the computer from the CD-ROM drive if you are prompted.
2.When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
3.If you have a dual-boot or multiple-boot computer, select the installation that you must access from the Recovery Console.
4.When you are prompted, type the Administrator password. If the administrator password is blank, just press ENTER.
5.At the command prompt, type chkdsk/r , and then press ENTER.
6.At the command prompt, type exit , and then press ENTER to restart your computer.
This takes a bit longer, but the system should boot back into Windows.
Washington, D.C.: Hi,
Kind of a beginner questions, but is there any benefit in avoiding malware/viruses in viewing videos through youtube-like sites (player on their website) vs. Windows Player videos (player is on my site, and it downloads a file to play)? Or are they both just as dangerous?
Brian Krebs: I wouldn't sweat this too much. Just be wary of any site that tells you that in order to view some video you need to download a special codec or plug-in. These are almost always trouble. When in doubt, always, always, always update or install any needed plugins from the source, and avoid "codec packs" and special individual "codecs" unless you really know what you're doing. Most sites just need you to enable Flash. If you get a site that says you need to install Flash or upgrade it, when you already have it installed, don't take their word for it: Go to Adobe's Flash page and check to make sure you have the latest version.
Lynnwood, Wash.: A few questions about the Windows HOSTS file: Do you have suggestions for the best source(s) for updating the HOSTS file, e.g., mvps.org, hpHosts.org, SpybotS&D, etc.?
Is there an advantage to using several sources even though it creates duplication of some or many entries and requires disabling the DNS Client service due the resulting large HOSTS file size?
Are any one of these services more inclusive than the others?
Do any of them update their data more frequently than the others?
Brian Krebs: For the uninitiated, a HOSTS file is a text file on all Windows machines that users can use if they so desire to block or allow certain Web sites or addresses from loading. By default, this file is pretty much empty. In XP systems, it lives at c:\windows\system32\drivers\etc
There are, as this reader notes, several sites that offer free updated lists of hosts file entries that attempt to list the known bad places on the Web.
HOSTS file management is of course one layer of protection, but not one that I recommend for the average user. Reason being, it's just too much to expect people to update this file on a regular basis. Can it be effective at blocking bad sites (or even entire countries?) from loading? Sure. Can malware that gets on your system alter or wipe out your entries in that file and replace it with its own list that prevents the victim from visiting security-related sites? You betcha.
I don't have a specific suggestion for which of these free lists is better for updating your HOSTS file. I am familiar with MVPS, and they are a trustworthy source (although I thought I recalled their recently saying they weren't going to update that list anymore, but now I see that they in fact are. Confusing). Anyway, MVPS.org is a good source for anyone looking for more information about this defensive tatic. See
NYC, N.Y.: Hi Brian, I'm a new reader of your column, I am amazed at how much you and Rob know. I purchased a Passport "my K drive)drive for back up. I can backup my files as I create them, except I can't figure out how to backup a program call paperport 11 without back up my whole system, which I don't want to do. I have windows XP, the computer is HP a1010n.
Brian Krebs: Hi NYC. If I recall correctly, PaperPort is an application designed to be used with a scanner or scanner/printer device. I wouldn't worry too much about backing up applications. You can always reinstall those if something goes wrong. Just make sure that you understand where scanned images are stored, and that you have that location backed up, and you should be fine.
Ashburn, Va.: Why hasn't Linux caught on with the public? It seems that the Netbooks were a perfect platform for Linux - requiring a small OS running on a limited resource machine.
Brian Krebs: You're right: Netbooks ARE the perfect platform for Linux. But people stick with what they know, or *think* they know. I guarantee you most Windows users have never used a command line.
I guarantee you most don't know how to use 99 percent of the administrative features on the machine. So would you expect these same folks to voluntarily switch to an unfamiliar platform, where they have to re-learn what little knowledge they've amassed, and then master a whole new vocbulary and understanding of how all these components interact?
Brian Krebs: I'm all out of time for today, folks. Thanks to all who joined us for this chat, and to everyone who came by to have a peek at the transcript. Please consider making the Security Fix Blog a stop on your daily Web browsing routine, and be safe out there people!
Editor's Note: washingtonpost.com moderators retain editorial control over Discussions and choose the most relevant questions for guests and hosts; guests and hosts can decline to answer questions. washingtonpost.com is not responsible for any content posted by third parties.