Thursday 6 August 2015

Virus Alert: What to Do?

Virus Alert: What to Do?

Is your computer warning you about a virus, while your browser sounds the alarm about a hacked certificate? We’ll show you how to respond to such notifications

All of a sudden, a warning window pops up with a cryptic message: ‘‘Object c:\3df34wf4.pdf is infected with the Trojan.Win.32.Invader Trojan programme.” Right below the message are three options: Quarantine, delete and skip. Even experienced computer users don’t always know how to proceed in such a situation. Popular anti-virus programmes make it easy for themselves, and shove the responsibility onto the user. Those who hastily press the wrong button could catch a virus, or even end up permanently deleting a harmless but important file from the hard drive.


The world of e-mails contains similar pitfalls. Any message could contain a virus. But it definitely wouldn’t make sense to just go ahead and delete all the notifications. A similar situation exists when it comes to the internet - if a seemingly reputable company site reports a certificate error, it’s important that it could always be a false alarm and is recognised as such. In this piece, we will give you info that you need to ensure that you won’t need to worry about pressing the wrong button when faced with virus alerts.

Virus Detection


Win32Blocker.cbuf, HEURtrojan.W32 – when such names come up, only a handful of users can immediately identify the troublesome virus. It is even harder to recognise a false alarm. Modern anti-virus tools have a detection rate of up to 99 percent. However, this comes at a price, namely, several warning messages. We’re showing you how you can find out whether danger really is imminent.

Arranging notifications properly


In case of a warning, anti-virus programmes often leave the next step up to the user – they have to decide whether the allegedly infected file should be deleted, quarantined or whether the virus scanner is simply mistaken. In such a case, it’s important to know exactly where the file came from. Files from protected environments (such as files from internal company servers) have probably already been checked by the enterprise virus scanner, which means that they are probably clean. You can also assume that files received via e-mail from reputable online sources – such as Amazon & co. – are free of viruses. Naturally, this doesn’t apply to situations in which the mail was forged (see below). False alarms can also arise if multiple virus scanners are installed in tandem. Before you assess the virus alert, you should go through the following steps - first, google the virus name. This often delivers the respective information. Another indicator is the test that can be run on virustotal.com, which allows you to upload the allegedly infected file. The site then uses several anti-virus engines to check the file. If the majority of the engines generate a positive detection, it means that the file does contain a virus, which you should then delete with the help of your anti-virus programme. If the site only produces negative results, it means that the alert is a false alarm. If the deletion function does not work, it means that the file has been blocked by the system. Under such circumstances, you should use your rescue system, which is based on a live Linux OS.

Computer slows down noticeably


If you’re beginning to feel like your computer is running very slowly, you may have fallen victim to a rootkit virus. For example, one indication is the idle performance of your system and the internet connection. You can check via task manager - when you are not using the computer, the CPU utilisation ratio should amount to less than five percent, while the network utilisation ratio should be less than one percent. If one of these values consistently remains at a very high level, it could indicate the presence of a root virus. In such a case, the best course of action would be to once again use the rescue system. This bootable Linux system can even get rid of dogged viruses – the scanners installed in the system often cannot do that.

Computer is locked


Some criminals can install ransomware virus on your computer. It locks the whole system, while only displaying a single message on the screen and even encrypts parts of the hard drive. Those who send a sum of money to the virus developers receive the activation password – at least, that’s how the story goes. First, you should run an internet search for information from the screen, such as the terms ‘MoneyPak’ and ‘Ransomware’. The websites of most virus protection companies provide special removal tools and activation passwords for the viruses. In most cases, our rescue kit (available on the website) can be of assistance. All the programmes should be up-to-date, in order to ensure that the gateways are closed.

Junk Mail


An e-mail from your bank arrives - your credit card has been blocked. You are now expected to verify your details on the company’s website, so that the card will be unfrozen. The return address looks like a Visa address, and there’s even a personal salutation. Sometimes, it can even be hard for experienced users to determine whether the message is valid or a phishing mail. Here, we will be showing you which details you should pay attention to, so that you won’t be a victim.

Recognising phishing mails


The sender’s address isn’t the only thing that can help you identify a fraudulent mail. The sender’s address can easily be manipulated by the attackers. An indication of the authenticity of the address is provided by the e-mail server through which the message was sent. This information can be found in the message’s source text. In Outlook, the source text can be called up via “File | Properties”. In Gmail, open the mail, click the arrow next to the reply button and select “Display original”. In the source text, the sender-server is identified under “Received”. It should have the same domain name as the company that sent the mail. If this is not the case, the message is highly likely to be a phishing mail, and you should just delete it. However, this method doesn’t always work. Small companies in particular rely on the mail servers of external service providers – In such a case, the domain name would not be in line with the company address. However, since the attackers usually only imitate large websites, the server-check method is a valid tool.

Still, under special circumstances, the cyber-gangsters will deliberately refrain from using a large company as a disguise. In order to place viruses on computers via e-mail, they disguise mails as messages sent by a collection agency. The hackers thus sidestep the mail server test described above, as they simply adapt the name of the collection agency to the mail server address that was used. In such a case, the mail contains an attachment that accompanies the debt claim. This file often has a virus. Some of the cover letters even contain a personal salutation. Don’t let yourself be fooled - the data often comes from commercially available address databases, while the information contained therein comes from lotteries.

Mails from friends


People are often mistakenly advised to trust messages coming from people they know. This is dangerous, because your acquaintances may themselves have fallen victim to a virus attack. There are two different scenarios - you may receive an e-mail that came from an acquaintance, but the contents of the e-mail may be riddled with advertisements. Alternatively, the message may contain suspicious text that asks you to click a link contained in the e-mail. You should never trust such an e-mail. Under such circumstances, you can often check the authenticity of the e-mail by checking the mail server. The mail domain – such as Google Mail – must be in line with the name of the sending server. However, an e-mail sent by an acquaintance may also land in the spam folder – even if it is a genuine mail that is free of viruses. Such a scenario simply means that the spam filter has not been sorted correctly. Certain chunks of text are often incorrectly designated as spam. If you want to play it safe, you should simply give the acquaintance in question a call. If he really has a virus on his PC that is sending e-mails on its own, he will be grateful to you for pointing it out.

Web Frustration


Sometimes, an inordinately larger number of advertisements appear on legitimate sites and the browser throws up a warning for a fake certificate. Here are some tips for you when such a situation indicates an error on the part of the website, and when it means that real web-based danger is on the horizon.

Adware plug-ins


Are you being faced with an excessive number of advertising popups in the middle of a browsing session? This might be due to an adware plug-in or virus-related add-ons. Such a software add-on nestles deeply in the browser, and can only be removed by going through several steps. First, you should install and execute the AdwCleaner programme. The tool will then remove undesired adware and toolbars from your computer. In the next step, you will have to do a few things manually: Access your browser’s add-on menu. In case of Firefox, you will be able to find it under “Extras | Add-ons | Add-ons”. The menu will show you all the installed tools. Deactivate all the tools that cannot be classed under the heading of ‘legitimate’. Do the same thing in the “Plug-ins” section. If a certain website stops working properly in the next few days, the site will automatically ask about the deactivated programme. Apart from this, you should always ensure that your plug-ins are up to date. Useful tip - in case of Firefox, the browser can, if desired, run a search for updates by itself. To make this happen, click the “Check whether your plug-ins are up to date” option in the plug-in window.

Checking certificate errors


If a certificate error appears when a website is being opened, it doesn’t necessarily have to mean that the site is phoney. In most cases, the site is just running an old certificate. To check whether this is really the case, click on “Details” when a warning is thrown up. Most browsers will describe the problem in greater detail. If the signature is merely outdated, you can go ahead and use the site. Another error involves an incorrect server name. For example, if the company has moved parts of the website onto an external server, the name will no longer correspond to the certificate. This results in a certificate error. However, such a warning can also be indicative of a phoney certificate. If it is, you should just stop accessing the site. Nevertheless, your computer may be in danger even if there is no error, because hackers may sometimes obtain so-called root certificates, which can be used to create valid certificates for websites such as Google or Microsoft. Yet, such phoney root-CAs are quite rare, and are blocked very quickly. In Windows, the records for the blocked certificates is kept up-to-date via a Windows update. Some browsers use an independent database. Consequently, it’s enormously important that Windows and the browser be supplied with regular updates. Apart from that, old browser versions can also result in a certificate error.

Detecting password attacks


The next time you log into an online account and receive a notification that says that unusual account activities were detected or a fraudulent log-in attempt was made, you should use a secure browser like BitBox for sensitive log-ins. Such a browser is launched in a Linux environment that is protected against viruses, and this rules out hack attacks against your computer.