InfoSec News

As 2011 draws to a close I am reflecting on the compromised computers that I have dealt with in the last few months. In April I went to work for a company that is the IT Department for a number of small businesses in our area. One of the things that I do is deal with machines that are not working correctly. The majority of the complaints were first identified with Security Popups. These were pretty easy ones to identify - AntiMalware 2011, AntiVirus 2011, and the latest one Security System (vclean.exe). In all of these cases the users said that they were on a website and clicked on a link or an image file. They said that the computer immediately started popping up with various messages about computer instability. I have found that most of these types of infections are easy to cleanup and most required simple Malware Bytes and a good anti-virus program to clean them up.

Others have not been so easy. I have dealt with several that had been infected that had some or all of the files on the hard drive hidden. These are the difficult ones to deal with. Tools like Combo Fix are required to even identify these infected files. I have found several tools that have helped with the identification and removal.

I have also had several machines that were unable to install Windows updates. The customer has no recollection of any virus infection - the updates just stopped working with a pretty generic error. On the first machine I worked with Microsoft to attempt to figure out what was going on. After several back and forth emails and following procedures provided by Microsoft I discovered that the directory used to write temp install files and install logs was missing. It looked like the directory had been deleted however, if I searched for the file I would find older versions of the log files. Continuing to investigate I discovered that the directories and files had been changed to hidden and read only when using the attrib command. Running the UNHIDE.EXE tool returned the file structure to normal. I ran the Windows updates again and all was well. Running a virus scan and MalwareBytes scan several malicious files were detected and removed.
Some of the machines have not been so easy. Cases were operating system files, network files, and other critical files had been altered are best handled by a format and reload. Formatting and reloading requires that the customer have the original install CD's.
My goal for 2012 is to educate all of our small business customers on the importance of Windows Updates and having a good Anti-virus program. Having these two items go along way in minimizing the number of compromised computers the customer will have to deal with.
Deb Hale (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Stratford Global Intelligence has released information regarding a breach to there data.The reports indicate that ANONYMOUS has once again struck and has managed to get a large amount of personal data (reportedly including credit card numbers) from their client data file.The mind boggling thing is that the data including the CC #'s were in plain text.Information, including the letter from the company can be reviewed at:
Deb Hale (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
It is Christmas morning in the US and hopefully Santa has made his delivery at your house. Some of those deliveries may be electronic in nature. Under our tree there are 2 new laptops for grandchildren.The laptops have been pre-delivered as this grandma has purchased anti-virus and installed, has removed all of the bloat ware from them and taken care of the Windows Updates and security setup. The machines are ready for delivery. I hope that those of you that have received new electronic toys under the tree will take the time to secure and protect them if you haven't already.I am anxiously awaiting the arrival of my 6 little elves (grandchildren) so that we can begin our Christmas celebration.
A little later I am going to do a diary that overviews the lessons that I have learned in the last few months as I have dealt with customers infected computers. Stay tuned.
Deb Hale (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status