You practice safe computing, so why do you still see malware?

Virus warningQuite regularly, I get feedback from our customers that they’ve found malware on their computer, and don’t know how it got there.

While you may think this is due to malware exploiting unpatched bugs in the Windows operating system, it isn’t: these customers are predominantly using OS X, and they usually have all the latest patches applied. However, the malware they’re finding is indeed often for MS Windows operating systems.

So are they infected? How did it happen? How COULD it happen?

The real story is both simple and a bit disturbing: our scanners are detecting these files in a few key locations: the email cache folder, email attachments folder, web cache folder, web downloads folder, and the Java web cache folder. See a pattern here?

These people are victims of drive-by downloads and malicious spam campaigns. Without visiting any shady parts of the internet, they have managed to pick up a collection of malware that, if successfully run, would likely result in their computer becoming part of a botnet.

Now, seeing that most of the software won’t run under their current configuration, this isn’t as much of an issue… but that assumption only lasts as long as their configuration isn’t being targeted.

Here is a sampling of what Mac users are currently seeing scattered across their cache and download folders:

Via web:

    Troj/Gida-A: drive-by Adobe Flash download that downloads and installs botnet software

    Exp/MS04-028: drive-by JPEG download (can also show up as a false positive in partial jpeg images as it’s an exploit detection) that can execute privileged code on un-patched Windows computers

    Mal/JavaDldr-B: drive-by Java download that downloads and installs more malware

    Mal/Iframe-AA: drive-by JavaScript in hidden IFrame that redirects the user to a page that detects what their system is vulnerable to, and attempts to exploit those specific vulnerabilities with the aim that the target joins a botnet

    Mal/Iframe-AD: drive-by malicious HTML IFrame used in SEO-poisoned search results (often image searches)

Via email:

    Troj/Invo-Zip: Zeus botnet-generated, arrives via email. Can also show up as a false positive in incomplete temporary zip files, as it’s an exploit detection.

Google Image searchThe disturbing part of this story is two-fold: first, just being connected to the internet and using email or doing some web browsing (especially if you do image searches) is likely to expose you to this darker side of computing. Second, a number of these pieces of malware point to people becoming exposed to (not infected by) malware by visiting trusted web sites.

While this is old news, most of us, if we are completely honest, will admit to not behaving as if we know these two things — we implicitly trust content that could be harmful to our computers.

Since the attackers can update the malicious payloads at any time, we never know when our computers may be successfully compromised by a zero day malware attack.

There are a few things you can do to mitigate these risks on any computer:

  • Keep your computer up to date with the latest security patches.
  • Delete email with dodgy-looking content or attachments immediately.
  • View email as plain text whenever possible. Keep Javascript, Flash, and preview features disabled.
  • Maintain your downloads folder. Go through it at the end of each session and throw out what you don’t need to keep. Move the rest of the contents to somewhere that makes sense on your computer.
  • Keep Flash, Java and JavaScript disabled in your web browser, except for sites that really need it.
  • Keep Flash, Java and JavaScript disabled in your PDF viewer as well, except for documents that really need it.
  • Use an up-to-date computer security package. If you don’t keep active scanning enabled for your computer (speed reasons, conflicts, etc), at least configure the software to scan any new content that arrives via email or shows up in your Downlaods folder.
  • Purge your caches from time to time — the simplest way to do this is often to reboot your computer. Email programs often give you the option to “rebuild archive” or “update database”, or sometimes to purge caches. Web browsers usually allow you to purge the caches manually as well, and often let you automatically purge them when you exit your browser.

    Windows automatic updatesMost of these suggestions can be done once, or set up and automated (like updating software). The rest are fairly easy work flow habits that will not only keep you away from many malware headaches, but will also often clean up clutter and recover disk space you didn’t know you were missing on your computer.

    If nothing else, make a pledge to try for a week. For most, the benefits will significantly outweigh the inconveniences.