More malware to worry about

Some hypochondriacs like to read about physical ailments in order to convince themselves that have the diseases described. I visit computer security sites to read about the malware that may be infesting my system.

Logic tells me that there's no real reason to worry, not at the moment. Everything is running smoothly and rapidly. My system boasts a nearly-fresh install. All of the anti-malware apps say that this machine is running as clean as a baby's conscience.

And yet that uneasy feeling lingers. The bad guys have written a lot of dangerous new code -- malware unlike anything the world has seen before. Maybe it lurks somewhere on this system...

Or maybe it's on yours. And maybe you're infecting all of your friends.

Understand: I'm not really a tech guy. But I am a paranoia connoisseur.

If you want a good scare, read about the latest variant (euphoniously dubbed the Sst.c) of the TDL4 rootkit. We're talkin' about the nastiest, grimmest, gruesomest piece of code ever conceived by any cyber-malefactor. See here. And here and here.

Remember the Big Hand in Cabin in the Woods? That hand wrote this rootkit.

Firewalls can't stop it. Antivirus engines can't see it.

This thing is so damned sophisticated that I'm beginning to wonder about state sponsorship. We know that Stuxnet originated with Israel's infamous Unit 2600, originally as a way to get control of the computers used by Iranian nuclear technicians. For more info on Stuxnet, see the previous Cannonfire posts here and here. (Also see here.)

So far as I can determine, nobody has yet suggested in public that Unit 2600 may be behind TDL4 or any variant thereof. Well, let me be the first to raise that possibility.

How can anyone prevent being infected by a rootkit designed to evade detection by all antivirus scanners (free or paid)? I'm not sure. But here are two suggestions:

1. Use Sandboxie while web-surfing. A sandbox program keeps anything you download (wittingly or accidentally) in a cage, well away from your operating system. Alas, Sandboxie (cost: zero!) is a rather daunting app. Many find it a bit hard to navigate -- at first. This video from 2009 will give you the basics in a clear and comprehensible fashion. The reviewer is Matt Rizos -- a friendly, low-key computer security guy who talks like a normal human being. Unlike many other computer experts, he isn't arrogant. Bless you, Matt.

After you install Sandboxie, it shows up as an option in your context menu (the list you see when you right-click on something). This means you can use your browser in a normal fashion -- un-sandboxed -- when visiting your usual trusted sites. But when you explore the wilder, less familiar areas of the internet, you can start up a sandboxed version of your favorite browser.

So far, Sandboxie hasn't slowed me down at all. The basic version of the program is free. If you pay, you can get a few more bells and whistles.

There's a well-regarded free alternative to Sandboxie called Bufferzone. It's easier for novices to figure out. Alas, it won't work if you use Comodo's firewall.

2. Keep a pristine system image on a separate (preferably external) hard drive. A "system image" is a copy of your hard drive. If you receive any hint of evilness on your system, move any documents or other data files (images, videos, etc) to a safe hard drive or a DVD (or to "the cloud"), then re-image your drive -- that is, replace everything on that drive with the copy you keep stored elsewhere for just such occasions. And when you re-image, reformat the whole thing.

I think that reformatting your drive will kill even the fearsome TDL4/SSt.c monster (which writes an invisible partition at the very end of an infected hard drive). But I'm not sure. If you can prove me wrong on that score, please educate us all.

If you don't know how to make an image, go here. Keep in mind -- the image should be of a fresh install of your operating system and programs. It has to be clean and perfect, with zero (ZERO ZERO ZERO) crap from the internet. No torrents, no downloads, no IRC, no unnecessary web-surfing, no nuthin'. Spend a weekend getting everything just right.

Being a paranoia connoisseur, I re-image every few months.

One other thing. If you are using a desktop system with a lot of hard drives, play it safe when you re-image: Turn off your computer, open 'er up and physically unplug all of the drives except for the two you will be using -- the C drive (the one you are wiping clean) and the drive that contains the image. (If that other drive is external, as it should be, it connects via USB.) Yeah, you can open up your desktop. Don't be a wussy.

Why should you unplug all other drives? Because you'll want to remove even the slightest chance of applying the image to the wrong drive. Re-imaging wipes a drive clean, so be ultra-careful!

Ransomware. You may have read about another threat -- Ransomware. This New York Times account of the problem is quite terrifying.

Basically, ransomware is a type of malware that locks up your system -- completely. You can't even use your keyboard (except for the numerical pad). You'll see nothing but a screen telling you that the government has caught you downloading illegal material, and that your computer won't work again unless you pay a fine, which will be in the $100-$200 range. Usually, you "catch" ransomware after visiting porn sites.

Believe it or not, many people are foolish enough to pay. Of course, their computers remain inoperative.

The two security tactics described above will help you in the battle against this foe. If you are unlucky enough to stumble across an example of ransomware while looking at copulating couples, Sandboxie will keep the beastie in a cage. If you get infected, simply re-image your drive. You'll have to boot up using a Windows recovery disk.

(By the way: You can also use the Macrium imaging system, which is free software. Some people prefer Macrium to the in-house Windows 7 imaging system. They're both good.)

Before re-imaging a drive crippled by ransomware, you may want to rescue documents and other files on your hard drive. I think you'll be safe if you take the main drive out of your system and plug it into another computer (for example, that ancient XP system you stowed in your closet years ago). Use it as a data drive, not as a C drive. If all goes well, you should be able to migrate your files into a safe place. After that, you can put the drive back into your main computer and re-image the thing.

If you don't have an image, you'll have to install everything from scratch.

If you think that the approach described above is extreme, there are other ways to deal with the problem of ransomware. This page has some excellent advice. Also consider the Norton Bootable Recovery Tool.

Note that one of the methods described on those sites involves booting up into Safe Mode. I've read that Windows 8 doesn't even have Safe Mode. One more reason to hate 8!

By the way: Please don't think that I ascribe all modern malware menaces to Unit 2600. Yeah, I'm paranoid, but not that paranoid. Of course, other nations are getting into the evil game of viral warfare. Still...after the Stuxnet episode, a certain amount of jumpiness is justifiable.

As always, readers are advised not to comment on this post if they are of the "Get a Mac" or "Get Linux" persuasions. In the first place, evangelists and zealots are always kind of annoying; you have nothing to say that we all haven't heard before. In the second place, the newest types of malware are comin' to get the Microsoft-phobes as well. Sure, you may feel safe right now, but it's just a matter of time...

One of these days, the bad guys will find a way to target portable tablet devices. God only knows what will happen then.