Oh, the embarrassment of it all! I haven’t had to deal with a malware issue (other than self infecting in AV product testing), for more than 2 years – until this past week. No big deal, except perhaps, for the way I got infected – that old, old, old, malware attack vector – an infected search engine result.
The manipulation of search engine results, exploiting legitimate pages, and the seeding of malicious websites among the top results returned by search engines in order to infect users with malware, continues to be a major threat to system security. And, why not? It bloody well works!
Over the years, I’ve written more than a few articles on search engine malware – the last – Search Engine Malware – The Same Old, Same Old – this past August.
From that article:
Here’s how the cyber crooks do it:
Cyber-crooks can exploit vulnerabilities on the server hosting the web page to insert an iFrame, (an HTML element which makes it possible to embed another HTML document inside the main document). The iFrame can then activate the download of malicious code.
When a potential victim visits one of these infected sites the likelihood of the downloading of malicious code onto the computer by exploiting existing vulnerabilities is high.
So there I was, happily bouncing along the Internet highway Googling a phrase I had read on another blog. Choosing the first Google return proved to be a very bad idea indeed, since I immediately stepped into an infected iFrame.
But thankfully, all was not lost – Microsoft Security Essentials (which incorporates antivirus, antispyware and rootkit protection), halted the malware – Trojan:JS/BlacoleRef.K – in its tracks!
So what’s the lesson here?
A couple really – AV settings are very important. In this case, as per the following screen shot – nothing moves into, or out of this machine, without being scanned. Microsoft Security Essentials makes it so simple – no esoteric choices.
The second lesson – a MOST important lesson – absolutely, positively, without fail, come hell or high water, ensure that AV definitions are updated at least daily. Preferably, more often.
You might be surprised to learn, that on the day I stumbled, while MSE recognized the intruder, the vast majority of AVs did not – as per the following VirusTotal report (partially reproduced here).
Since it was preposterous to assume that MSE had in fact eradicated the Trojan (paranoia has its upside don’t you know? ), I then ran a full scan with Kaspersky Rescue Disk – a free Linux-based antimalware application (a live CD), which scans from the outside looking in. Malware generally can’t hide if it’s not running.
The result? The Kaspersky Rescue Disk scan was clean. MSE had in fact, sent Trojan:JS/BlacoleRef.K to malware hell. Yes!!
I suppose there’s one more lesson that can be dug out of this experience, and that is – those tech journalists who absolutely insist that “pay for” antimalware applications are superior to all free AVs (often, without ever having tested the damn product in real world conditions), should take a step back and reconsider their speculative approach to antimalware application ratings.
Worth repeating: Despite the fact that I’m provided with a free license for all the security applications I test (and then some), I have chosen to run with the following FREE applications.
Microsoft Security Essentials (free) – an all-in-one antimalware application.
Immunet Protect – a free Cloud based companion antimalware application.
ThreatFire (free) – this application is built around a Host Intrusion Prevention System (HIPS), and behavior based blocking combination.
WinPatrol (free) – another HIPS application with considerable additional functionality. WinPatrol is the elder statesman of this application class and, it just keeps on getting better. A must have application.
PC Tools Firewall Plus (free) – PC Tools Firewall Plus is advanced Firewall technology designed for typical users, not just experts. The “plus” refers to a HIPS component. Generally, if the ThreatFire HIPS component is triggered on my machine, PC Tools Firewall Plus is triggered as well.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.