Take Over Attempt Foiled!

[crabfoot]

Something nasty almost happened to me yesterday.

I was quietly beavering away at my computer when the antivirus program started ringing bells about malware appearing on my computer - about one item every ten seconds. It took me about a minute to realise that I was under attack, at which point I quickly unplugged my internet dongle, but I was unsure if damage had been done. The only clue remaining to show the attack was that the browser download window was open in the background, but did not show evidence of any new download.

Over an hour later, the full antivirus scan had found nothing. A reboot involved the usual delay due to "updates for everything" being installed. Since the antivirus had found nothing, I downloaded Spybot - Search and Destroy to check for anything the antivirus had not found. That's bitter experience from the last time I was attacked about three years ago. Thankfully, all it appears to have found are the cookies in my browser (never heard of Zedo before).

Did I do well - could I have done better?

[mpcovcd]

When I read the title I thought maybe you were trying a hostile takeover of a company. :P

I'm no security expert, but I would have taken the same steps. I don't really know if unplugging the internet does anything since the virus is already on your computer? But I pretty much take the same steps you do including spybot search and destroy.

[benitez17]

Sounds like you did the right thing to me. If you don't keep regular backups of your PC, this incident could serve as a warning that you need to start.

[crabfoot]

I don't really know if unplugging the internet does anything since the virus is already on your computer?

The idea is that it stops any more nasties from being downloaded. In this case, it interrupted the download process - the antivirus found nothing on the disks, so whatever was trying to get in did not succeed in completely downloading anything.

But I pretty much take the same steps you do including spybot search and destroy.

Does this happen to you often?
I've never had an attack like this, except when I once tried to access an articles site that had been burgled and fitted with a trojan on the home page. That left me with something in the works which would wait a while, then try to take me somewhere undesirable - Search and Destroy was my saviour then, which is why I'm using it now.

I did nothing to trigger the attack, except leave the computer connected while typing - I was waiting for a poker game to start.
I've had people try to sneak controls in before, but never blatant infection with malware unless I've tried to access an attack site, in the days when the antivirus didn't block the attack. This is a new one to me.

If you don't keep regular backups of your PC, this incident could serve as a warning that you need to start.

I've got a removable hard drive that I bought for the purpose, but I don't backup enough stuff. That's mostly because of the way Win7 works with fake paths and folders - it makes it hard to see where I've put things unless I'm using the "Windows view" of things.
Pardon the pun, do you have some suggestions for how to be systematic about that sort of thing?

[benitez17]

I've got a removable hard drive that I bought for the purpose, but I don't backup enough stuff. That's mostly because of the way Win7 works with fake paths and folders - it makes it hard to see where I've put things unless I'm using the "Windows view" of things.
Pardon the pun, do you have some suggestions for how to be systematic about that sort of thing?

Automate the process. I just have a scheduled task that moves everything in certain folders to a small NAS I have at home once a week, but there are many other ways to do it.

[FinanceGuy]

Wow, not a fun experience and an echo of the "back up often" mantra. I use McAfee online backup which for $60 a year is cheap insurance.

As for your PC, were you behind a NAT? Up to date firewall and AV software? Which AV program?

[KenW3]

Does this happen to you often?
I've never had an attack like this, except when I once tried to access an articles site that had been burgled and fitted with a trojan on the home page. That left me with something in the works which would wait a while, then try to take me somewhere undesirable - Search and Destroy was my saviour then, which is why I'm using it now.

I'm using the CA Technologies Internet Security Suite. The McAfee Total Protection product is similar. CA has interrupted my browsing to let me know of problems, not with downloads, but caused simply by browsing to a site. Last week, I visited a vending company site and the site dropped a trojan somehow. CA popped up a notice that said the file was quarantined, but a reboot was immediately required. I assume that was because there was something left in memory. After the reboot, I ran a scan, and all was fine. This happened simply by visiting a site; I was not downloading anything and was behind both a hardware and software firewall.

I did nothing to trigger the attack, except leave the computer connected while typing - I was waiting for a poker game to start.
I've had people try to sneak controls in before, but never blatant infection with malware unless I've tried to access an attack site, in the days when the antivirus didn't block the attack. This is a new one to me.

This trojan was an exploit with either data or executable code that attempted to penetrate my box just by visiting a site. Odds are, the site was compromised due to not being updated in a long time and ended up being hacked. I was not downloading any files, other than the site's files to display to a browser window. I had not clicked on any part of the site, and did not click on any pop-up windows. I have had attempts to install malicious code from attempting to close ads, email sign-up boxes, and exit pop-ups, so I am now suspicious of all forced clicks (clicks required to continue or exit or close something) on a site. My preference there is to use Alt-F4 to close, and if that doesn't work, I sometimes force a site to close using Windows Task Manager.

I've got a removable hard drive that I bought for the purpose, but I don't backup enough stuff. That's mostly because of the way Win7 works with fake paths and folders - it makes it hard to see where I've put things unless I'm using the "Windows view" of things.
Pardon the pun, do you have some suggestions for how to be systematic about that sort of thing?

A USB external (Seagate) drive I purchased came with software which allows three levels of back-up. The one I use is a real-time mirror of all file changes. I select the directories to be mirrored, and every time I save a file, it is saved on two drives. The other two back-ups are daily (at a scheduled time of selected directories), and export to a different external hard drive. Due to the quantity of work on this box, I also carry a Western Digital My Passport USB-powered pocket-sized drive. While I like the fact there is no power supply, the cord is proprietary (and certainly doesn't need to be). The little one terabyte My Passport drives are (shirt-pocket sized) 3 1/4 by 4 1/4 and not quite 3/4 of an inch thick. When I walk out the door, I always have one of these in my pocket. The cost varies from $100 on sale to $130 retail.