Why the bad guys will always win

Seen an email like this lately? Now to most techie types we would know that this certainly smells like some form of malware, but what about to a “normal” user? The following scenario really happened, the names have been changed to protect the innocent.

User – “My machine says that it is infected with spyware”
Techie – “Where does it say that?”
User – “Down the bottom right hand side of the screen. It says Windows has detected you machine is infected with spyware”
Techie – “Do you have anti-virus and is it up to date?”
User – “Yes, I have PC-cillian and it is up to date”
Techie – “Ok, I’ll remote in and have look”

Sure enough the machine appears to be infected with spyware, however after running a full system scan with PC-Cillian nothing is detected.

Techie – “Did you open email attachments today?”
User – “Yes, I opened one from UPS”
Techie – “Why? Did you send a parcel via UPS?”
User – “No”
Techie – “Are you expecting a parcel from UPS?”
User – “No”
Techie – “So, why did you open it?”
User – “I thought I was getting a surprise package”

Well, ladies and gentlemen the user sure did get a surprise package. For when they opened and ran the attachment it installed a hidden service in multiple locations on the disk, in the registry and so on. Thus, the machine was now infected.

Techie – “What did you do after you ran the attachment?”
User – “I went and did my Internet banking”

This story just keeps getting better and better doesn’t it? Firstly, the user gets their system infected with spyware by actually RUNNING an unknown attachment, which infects their system. Then, even though the system warns them there is an issue they simply ignore that fact and go and do Internet banking. We pick up the story again….

Techie – “I think you had better go and check your bank balances because there is chance someone has stolen your passwords”
User – “They can do that?”

Sure enough, checking the bank balances on a “known” clean machine, it turns out the maximum daily withdrawal amount has been transferred to an unknown account today, strangely not that long ago.

Techie – “You had better go and change all your Internet banking passwords”
User – “I don’t want to do that it is such a pain”
Techie – “Well if you don’t they are going to keep taking money out of your account”
User – “They can do that?”
Techie – “They have your password remember?”
User – “Better go and change my password eh?”
Techie – “Very good idea and in the meantime I’ll try and clean up this machine”

Very interesting that this UPS_service.exe spyware had completely slipped through PC-Cillian. After searching the web there didn’t appear to be much about how to clean up the infection. So it had to be manually removed from the registry, the disk system and then the system restored to a previous time. After running multiple scans on the machine it WOULD APPEAR to be clean, but you can never now be 100% sure.

User – “Whatta you mean you can’t be 100% sure”
Techie – “Look, I have done everything I can think of to remove it but if PC-Cillian isn’t even detecting it how can you be 100% sure?”
User – “But I want to be 100% sure?”
Techie – “Wipe the disk and start again”
User – “WHAT???”
Techie – “Sorry. Once a bad guy has control of your system, it ain’t yours anymore. You can try and throw them out but who knows what other tricks and back doors they have created for themselves”
User – “All that because I opened an attachment?”
Techie – “Yup”

This is why the bad guys are ALWAYS going to get around any technological protection you put in place. If they can fool the human being to over ride all these safe guards then why even attempt to try and circumvent the technology? Go straight for the human weakness because you know it will work EVERY time.

Education is the key. NEVER EVER trust something unsolicited from the Internet and THINK before opening ANY attachment.

You have been warned!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s