Daily Archives: January 25, 2011

Ever Wondered How Exactly Your Computer Got Infected?

Computer Security

I wanted to give you a real life example of how malware can infect your system and how the different elements of a good computer security setup as described here can protect your computer against it.

A client contacted me to ask if a suspicious email was in fact legit. It was one of those fake UPS emails announcing “your package has arrived”, and giving a link to download the invoice. The link was actually a small program that would download to your computer if clicked on. Even though I knew the file was malicious, adventurous as I am, I clicked on the link  and downloaded the program with the purpose of opening it just to see what would happen. NOTE: Don’t try anything like that if you’re not an expert and know how to contain an infection before it affects your computer, unless you want to end up with an infected computer.

The malicious file, being relatively new, was missed by my antivirus program both when I downloaded it AND when I opened it. Tsk-tsk. But I don’t really hold it against it – later I submitted that file to an online scanner that scans any file against 43 different antivirus programs and only 5 out of the 43 identified the file as malicious! That is why you want to have several layers of protection. But read on.

As soon as I opened the malicious file two things happened. My firewall alerted me to the fact that a program was trying to communicate to the internet in a suspicious way (and blocked it until I decided whether or not to grant access) and AppGuard alerted me that it had blocked a program attempting to launch (start, open, execute)  from an illegal location. I looked into the steps of that program created by the original malicious file downloaded, and in it there were instructions to delete the original executable file and itself! Sneaky bastard! In other words, the original program would have delivered its payload by starting, planting its infection, “calling home” (“home” being a website with an IP address of 76.76.104.203, somewhere in Canada), and then creating another program that would in turn delete all visible evidence of infection!

Since I had done all the above in a controlled virtual environment, a restart of the computer undid all changes that might have occurred in case something had gone past all the other layers of protection. But I hope this gives you a better idea of how an infection can occur and hide itself from view, and how a good security setup can keep you safe.