Malware getting thru modem or router?

Topic

New Reply

Yesterday I was on the phone with an elderly friend who had bought a new laptop computer and needed help setting it up. She lives two states away, so the phone was the only way I could help. Once we’d set up her local account, she downloaded TeamViewer, and I used that to handle the operation.

Of course, we had to work by phone until I could use TeamViewer. During the setup by phone, she paused every now and then to tell me about something that had popped up on her screen. One alert said she needed to update a bunch of drivers, and the item kindly offered to help her with that chore. Moments later, another similar alert appeared. Each time, I stopped her and told her to ignore these alerts—they sounded like trouble to me. We got the local account established, and right away I got busy installing antivirus software. Her ISP, Comcast, provides Norton Internet Security free of charge; that’s what I installed.

Next I went to Add or Remove Programs, where I confirmed my hunches. I deleted “Chromium” and two other PUPs that had gotten onto her system in the short time it took to set up the local account! Then I installed and ran Malwarebytes and CCleaner. The former found and removed 33 PUPs. I think it’s all under control now, but I’m a little worried. My friend has a history of letting crapware onto her computer. I’m sure I’d find plenty of it if I could peek at the Vista machine she’s replacing. She opens stuff she gets from friends, and then wonders why her machine misbehaves. No amount of counseling dissuades her.

I know there’s no way to keep malware off a machine if the user simply will not exercise basic preventive behaviors. My chief, immediate concern is with the speed at which this stuff got in. I’ve set up a few new machines over the years, and never have I seen malware appear this quickly and easily. I suspect there’s no guardian at the modem or router. What can I check—what barriers can I erect—at the “front door” to help keep her system safe?

Reply | Quote

Replies

Caesar,

You’re assuming that the stuff “got in” when it may well have been put there by the OEM!

You might also seriously consider installing Microsoft EMET on her machine and select the highest settings.
If she doesn’t normally install software this should not interfere with surfing and email.

HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I believe if it is a Windows 10 machine that much of what EMET covers is already in Windows 10. See Enhanced Mitigation Experience Toolkit (EMET) version 5.5 is now available[/url] for more information. EMET may be overkill for her.

I think that you should try to figure out where she is browsing and what she is clicking on. Social engineering is the most likely infection vector.

--Joe

Reply | Quote

Joe,

Unfortunately, the items mentioned in the article are Enterprise Level Tools and not available to us mere mortals.

Also, Edge may be more secure but it is basically useless due to lack of full addon support IMHO.

I still use EMET as part of my layered security setup on my (3) Win 10 setups and it seems to be working AFAIKT!

HTH :cheers:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

@RG,

Unfortunately, EMET is not a set it and forget it tool. You often don’t know the effects until you’ve run the system for a while using most if not all the programs you normally run.

--Joe

Reply | Quote

You may want to log into her router and change the password from probably what is still the default admin and check the router’s security is set to WPA/WPA2 – PSK – AES.

Reply | Quote

Guys, I really appreciate all the information you’ve shared. This is the first I’ve heard of EMET. It sounds like a great tool. However, I’d be more comfortable using it if I still lived across the street from this lady. Now I’m two states away, so I really do need a “set it and forget it” tool. @Sudo15, that’s a great idea about logging into her router. I can do that with TeamViewer. My client’s router was likely set up for her by one of her sons, who’s not exactly a whiz at this stuff, if you get my drift. I think I also need to discuss her browsing and clicking habits in depth. She tends to trust her friends to NOT send anything that might be a gotcha.

Reply | Quote

Unfortunately, setting up a computer has become a alligator/swamp sort of thing and it’s getting worse. Not that long ago, you could setup a computer without connecting to the internet but that’s no longer the case. It’s even become nearly impossible to download a full install of AV software and store it on disk for install to another computer.

That said, I think you are correct in the assessment that there may be a user error issue at work. However, it’s also possible that there is another infected computer connected to the same router, in which case it could rapidly find and infect any other computer connected.

Reply | Quote

Ah! In fact, there is another computer on the same network: An old Vista machine, which this shiny new W10 machine will replace. My experience with this client tells me that I’d find plenty of malware on the old machine … if I could check it. I need to get her to install TeamViewer on the old machine for a couple of reasons. For one thing, I know she’ll want to move her photos and documents to the new computer. Before I move anything, however, I’ll need to clean up the old machine, fer sherr.

Thanks, Graham!

Reply | Quote

Some people are more prone than others to picking up malware on their computers. A few cases in point:

* My former pastor and his wife — two very educated people. I personally set up and cleaned both computers, and installed Trend Micro on both. A few months later, I found adware on her computer; and a rogue search engine had grabbed control of his browser.

* My wife — she doesn’t know much about computers, but she is very careful about where she goes, what she clicks on, and who gets on her computer. I checked her computer when we were dating; it was as clean as a whistle.

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

I checked her computer when we were dating; it was as clean as a whistle.

Sneaky Jim, checking for competition in the guise of checking for malware…very sneaky! :evilgrin:

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Sneaky Jim, checking for competition in the guise of checking for malware…very sneaky! :evilgrin:

Actually, I had already hacked her match.com account, so I didn’t need to.

JUST KIDDING!!!!!

Group "L" (Linux Mint)
with Windows 10 running in a remote session on my file server

Reply | Quote

Sure! :rolleyes:

Image or Clone often! Backup, backup, backup, backup......
- - - - -
Home Built: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek HD Audio

Reply | Quote

This is for something else but it will work for what you want. Set Windows Updater to automatic once the Win10 offer expires if she is not updating. Set up a Guest account as the main use account and an Admin account with a easy password for use in installing apps. Put the password on something easy for the owner to access when needed. The account will only produce a window announcing a password is needed to install XXXX. If the owner goes ahead and supplies it well, you tried.

Hardening off Vista

If you are running Microsoft’s Vista, support will end on Apr. 11, 2017.

Truthfully, a lot of what I am suggesting below should have been implemented a long time ago. But the next best time to do it is now.

———————–

Add memory (if needed) to 3-4Gb (32-bit) or 8GB (if 64-bit). You are supporting an old PC get it into shape.

Update wifi router (hardware) firmware after backing up settings. This can harden its access off and it may patch up some holes in its security.

Clean out dust. Make sure fans are working. Look for issues inside (leaking caps for example).

On an old system it is a good idea to run memtest86+, hwmonitor and mfg. drive diagnostic app(s) just to see if the equipment is still working to specs. Store a copy of the results (log) somewhere if possible.

Consider adding a SSD [at least 120GB, though as I write this 250GB is the sweet spot] as the boot drive if still running on an HDD [see clean install of OS suggestion].

———————–

Install any remaining Vista updates.

Turn off the Windows Update once support date is past. (Microsoft Update is left on if MS Office 2007 or newer still on PC; Office 2007 support ends Oct. 10, 2017)

Set IE9 to highest security settings and use some supported browser like Firefox/Thunderbird (email) [Chrome no longer supports Vista]. Disable IE by directing to a self IP address.

Update BIOS (if needed). I always update the BIOS to the last revision available before an install.

Check for firmware on drives and apply.

Clean install Vista. Great time to do it. (optional) If you do be sure to back up before you do. Be sure to grab all product keys/activation codes/etc from anything you plan to reinstall.

Update all drivers, including peripherals.

Belarc Advisor and WinAudit to inventory apps and machine. Look for apps you no longer or never use to remove.

CCleaner remove any unneeded apps, check what startups are running, clean registry and temp files.

Backup drive image (Macrium Reflect)

Vista updates (collected)
http://download.wsusoffline.net/

Replace no longer supported Firewall – Comodo [Zonealarm is a good alternate]

Replace Antivirus (if Microsoft) to something that will continue to support Vista. – AVG

Add MozBackup and save browser/email if Mozilla based browser/email chosen

add AdBlockPlus
add HTTPS: Everywhere
add Web of Trust (WOT)
add YesScript or NoScript
add Ghostery
change to OpenDNS server on router (good job of blocking phishing) 208.67.220.220, 208.67.222.222 [url url="https://support.opendns.com/entries/37998470-Windows-Vista"]or Windows if portable[/url]

Replace MS based email if unsupported – Thunderbird update (set ISP servers for secure email)
POP (in): pop….., port 995, SSL/TLS, normal password
SMTP (out): smtp….. port 587, STARTTLS, encrypted password

Add EMET 5.5 (free; requires NetFramework 4) [support ends Jan. 27, 2017], Malwarebytes Anti-Exploit or HitMan Pro.Alert

Add HitMan Pro.Kickstart (not a blocker, bit recovery/removal) or Malwarebytes Anti-Ransomware (still in beta as I write this; stand alone blocker)

Add PSI Secunia (checks Adobe Flash and Reader, Shockwave, Silverlight, Quicktime and Java) Consider dropping these apps as well unless needed.

Check Mozilla based browser plug-ins for updates: https://www.mozilla.org/en-US/plugincheck/

Check Browser security: https://browsercheck.qualys.com/

Install a HIPS Intrusion Prevention System: https://blog.malwarebytes.org/intelligence/2013/05/whatiships/

Update the HOSTS file now that MS won’t do it.
http://someonewhocares.org/hosts/

Consider using a sandbox for apps. http://www.sandboxie.com/

Reply | Quote

A bit difficult to do those physical things when just accessing the machine through Teamviewer

Plus, depending on the elderly person’s level of competence – it’s best to keep things simple.

Reply | Quote