Wednesday, June 01, 2011

SOFTWARE: Fake Scary Scumware

Of late, too many conversations I have on the phone include this, "I think I have a virus on my computer..." Arrrggghhhhh!!!!

Well, mostly, they are correct. And nervous I'm going to come through the phone and shake them silly. And yes, as Archie Bunker was fond of saying, I have to just 'STIFLE!' A good percentage, I fob off onto Patrick and he's dealing with them, plus his own legion of unhappy callers. Between us, I think we've run across about a dozen computers this spring with the same symptoms: An up-to-date computer with up-to-date virus protection AND a virus.

Doesn't seem possible does it? Well, let me point out there are two scenarios that let all those fact remain true. Your anti-virus should update every couple of hours ideally. The free versions usually update once a day. Let's say 8 am. So, some schmuck in Bulgaria (or Indonesia or some place around the corner) sends out a virus into the wild around midnight on Monday morning. It takes a while for the virus to circulate and it takes a while for the attention of your AV provider to be drawn to it. Then it takes a while for them to figure out how to stop it with your AV (they have to create a signature to searched for within the virus). Say it takes until 9 am. It's often later than that. So they put it in the next update, which for you is Tuesday morning at 8, a full 32 hours after the virus was released. You have done nothing wrong (other than chintz on not paying for a major AV's subscription), and yet you got the virus.

The other way to get infected is to agree to it. If you OK the downloading and installation of a virus (or worm or any of the other malware I call scumware), your AV can't stop it. There are legal precedents, mostly from Europe, where AV companies were sued for stopping you from your legal right to screw up your computer. If you OK it, you OK it. And your AV can't get in the way.

Now, why would any supposedly intelligent person OK getting a virus? Well, you wouldn't. But OK, NEXT and CONTINUE buttons are real easy to click, just to avoid reading lots of nasty fineprint. And that's where these scumware merchants get you. And tomato, Tomato, what you call a virus we call an agreed-on exchange of information. Like your PIN and Passwords and such.

Some times, the fineprint way of getting you to agree to your own infection is supplanted by truly illegal and nasty ways of doing business. The Mac world was rocked by the appearance of a nasty virus late in May. And that will be just the first of many that follow suit, thus forever dispelling the myth that Mac's don't get viruses. It was a SCARE virus. A fake AV product popped up, informed users the computer was infected and suggested VERY STRONGLY the user cough up some dough (via credit card) for the new shiny Anti-Virus program that would stop the current situation cold. Of course, it's a scam designed to part you from your money (and get your credit card info, to part you from MORE of your money).

So, what to do about this scurrilous scumware? Well, a posting today at Sophos (a maker of AV products) explains one approach. It explains the threat well enough and points out there is no such thing as a FIREFOX security warning. Seeing one should result in you exiting the browser immediately. And when it restarts, fer gawd's sake, don't restore all the tabs. ONE of them has the scumware on it!!!! You'll probably be able to figure out which. Jerry Pournelle actually goes one step further. If he sees one of these fake scare screens, he turns the computer off. That's right, power OFF! While I find that a little drastic, I've come close to doing it. But what I currently do is right-click on the button on the task bar at the bottom of the screen and choose close from there.  I DO NOT CLICK on any of the buttons on the form or even the X in the upper right hand corner of Firefox. Why? If you had a nefarious bent, wouldn't you label the OK button "close" or "cancel' and vice-versa? Or how about putting an invisible OK button over the closing X on that form? It's really, really not that hard to do.

Since we know you are using Firefox (Internet Explorer users deserve whatever crap their choice forces upon them), then you HAVE TO INSTALL No-SCRIPT. It's not a choice. It's a requirement. Going to the internet without it is like walking outside without any pants. You MIGHT get away with it long enough to get the paper off the driveway. But a trip to the mall is the first step towards a trip to the Psych Ward. With No-Script, you can prevent accidental drive-by infections since MANY of the sites that would do you harm, are blocked by default. IF you allow a script to run that THEN infects you, well there's only so much hand-holding I can do. You get what you deserve.

Bottom line, fixing these infected computers is about a two-hour job if everything goes right (You have backups, multiple restore points, a willingness to let us nuke your computer to the ground and install a disk image, etc.). Things don't normally go right. And I'm stuck going through directory after directory deleting any 'newish' file hoping to nab all the various pieces of the critter. It's scutwork. Important to you, totally boring for me.

So, for those of you reaching for the phone to call me with the same plaintive bleet, my advice is, "Call Patrick." Or take the steps necessary to not get the virus in the first place.

No comments: