February 08, 2010, 10:09 AM —
Though most of the machines at home are currently Linux driven, there are a couple of Windows machines in the house that are used by my children for Software they Cannot Live Without. My teenager likes games, and my tweenager is quasi-addicted to iTunes.
Being a tolerant Dad you have to know when to pick your battles. This may be a shock to some Linux users out there, but compared to boys, piercings, and parties, letting them run Windows seemed to rank very low on the Dad scale of things that can possibly go wrong. Did I mention boys?
Now, it seems, I may have to revise this prioritization. Until this week, all went well, as the freeware AV software I had running seemed to catch everything that arrived on my daughters' virtual doorsteps. But after a couple of weeks of my middle child neglecting to update and scan with said software, I suddenly found myself facing a serious problem on her PC.
The problem was a very sneaky Trojan attack known in the security biz as ransomware. I had just happened to see a video about this very same type of attack early last week, so when my daughter called me upstairs to see "something weird" on her screen, I knew exactly what it was.
Basically, here's how ransomware works: after surreptitiously installing itself on a Windows PC, ransomware pretends to be a very realistic-looking antivirus software application that has "found" terrible, bad things on your PC. As if to demonstrate just how bad these things are, anytime you try to open another application, the attempt is blocked with a message that the "application is infected." In fact, the only thing that will work is Internet Explorer... which the ransomware actually needs to connect to the Internet.
Why does it need connectivity? Funny you should ask... because in order to have the "antivirus" software "clean" your machine, you'll need to pay the low, low price of $39.95 to activate the software. Gee, forty bucks to rid my machine of all of these dastardly viruses? What a bargain!
Forgetting for a moment that this whole thing is a Trojan rogueware application that shouldn't be on your system in the first place, stop for a minute to consider that if you pay the "activation fee" you've just given your credit card number to the same malicious person who infected your machine.
An attempt to search for a solution on the infected machine came up with nothing: Firefox would not start, and IE had been proxy-napped so it would only go to porn sites.
At this point, I could very easily have backed up my daughter's personal files, installed Linux, and wiped the entire partition. Problem solved. But diverting my kid's machine to porn sites just made things personal, so I decided to find the solution and post it here both as a public service announcement and a way to deal a little payback.
This particular version of ransomware was labeled "Antivirus Soft," and after getting on my machine and Googling it, there were a number of solutions proffered by blogs and antivirus software creators. There were a lot of automated solutions, but somehow the thought of downloading another application from sources I'd only vaguely heard of seemed a bit foolhardy.
Instead, I launched my KNOPPIX liveCD and used this great Linux utility distribution to hunt down and kill the errant files that I found online in this list. There were also registry entries to delete, and KNOPPIX has an on-board registry editor (WINE-enabled) that lets you get in and fix things, too. For me, using Linux as a solution tool made absolutely sure that things were done right.
And yes, I see the irony in that last statement.
Fifteen minutes later, my daughter's system was cleared, and there were no more warnings. Fixing this PC manually also afforded me yet another look into how ridiculously vulnerable Windows is. I can understand--just barely--a rogue application running and causing havoc on a system. But to actually allow the system's registry to be modified to:
- Take over a browser's proxy settings
- Open any Web site with invalid signatures
- Block all other applications from running
is absolutely unconscionable. Why existing core system settings should get touched at all by any application seems deeply flawed reasoning.
The net result of this journey into rogueware-land is that my daughter was now much more open to allowing her system to be replaced with a Linux installation... particularly after I explained how Audacity and Amarok would let her manage her cherished iPod music collection. She's on openSUSE 11.2 now, and grooving to it.
For my part, I think even knowledgeable users like me can let themselves be lulled into a false security when it comes to thinking obscurity equals protection. Before I zapped the Windows away, I checked her browser history and saw nothing but mainstream Internet sites: Facebook, YouTube, iTunes... the likely culprit is a suspiciously large image file that my daughter said downloaded itself a few days ago--from Facebook.
Mea culpa, lesson learned.
For those of you still clinging to the notion that Windows is secure, first, never believe any antivirus application that needs a fee to activate. Reputable software does not do this. Better still, look towards Linux as a solution. I know it's not a fit for everyone, but for most routine PC tasks, most Linux variants will excel.