• XP End of Life in April has Attackers Rubbing their Palms

    Microsoft Security research paints bleak picture for XP users

    The latest Microsoft’s Security Intelligence Report has just been released and this month it focuses on the situation as it relates to Windows XP users. Citing third party data, it says that 21% of users are still running Windows XP, which will reach End of Life in April 2014, after which no security updates will be issued for it.

    Once the last Windows XP patch is issued, unpatched vulnerabilities will begin to emerge. Some will have been saved by attackers for the time when there will no longer be a chance for it to be patched.

    The report also states that Windows systems have gotten more resistant to malware attacks over time. At the extreme, Windows XP users are almost six times more likely to become infected with malware as Windows 8 users. This is because Microsoft has steadily incorporated defensive technologies into Windows with each new version. The only major technology XP had was Data Execution Prevention (DEP), and even the implementation of that has improved greatly in subsequent versions.

    All XP systems should be replaced or upgraded by the end of  March 2014.  If this is not practical for some reason, then at a minimum, customers will be required to add extra protection to their XP systems in order to continue support.  All XP systems will require a current version of AVG Business Security as well as a current version of Malware Bytes Pro.


  • Cryptolocker Virus Update!

    Over the past few weeks an untraceable band of hackers has flooded the internet with a particularly nasty virus known as CryptoLocker. The virus is contracted by users who open infected email attachments that appear to be from banks, credit card companies, PAYCHEX, ADP, FEDEX, UPS..etc. Please be aware that these companies NEVER send attachments to emails, so if you see one, you should treat it as suspicious and delete it. The same goes for any other emails with attachments that you are not specifically expecting.

    What makes this virus particularly worrisome is:

    1. Hackers are continuously developing new strains to outpace anti-virus programs ability to keep up with them. This means that despite the best protection, infected emails may still get through.

    2. The virus will immediately encrypt all files on your laptop, and then will go out to your mapped drives and encrypt everything you have access to on the network. In order to decrypt the files you will have to pay a ransom ranging from $300 to $2,000, and even paying does not guarantee success because these hackers move from server to server.
    Although our customer’s networks and computers are very well protected, there are still ways for these to get through, particularly if you mix business and personal use on your computer. Users who check their personal email using Gmail, Yahoo, Hotmail..etc. can easily download an infected attachment, thereby bypassing our perimeter security protection.   Also if you use your laptop on other networks (including your home network), much of the protection is defeated.

    If despite all our best efforts, you do get infected (or suspect you might be), you will see this warning:

    If you see this at any time, immediately shut down your computer – and by shut down I mean literally unplug it from the wall, or hold the power button in for 10 seconds until it shuts off. Then immediately call me or the Integrated IT Help Desk. In this case don’t be concerned about shutting down properly – your computer will need a complete reinstall anyway.

    Notwithstanding the above, this is to assure you that all appropriate protections are currently in place on your network.  These include:

    1.  Firewall protection through Sonicwall Comprehensive Gateway Protection Plan – As long as default settings are in place, the firewall will not allow transmission of these email attachments.

    2.  SpamSoap Email Gateway – again, SpamSoap protects against transmission of these files.

    3.  Group Policy Objects – we have implemented an additional Group Policy Object (GPO) on customer domains.  The GPO prevents the running of any executable from the users %appdata% directory.  Note that this may      prevent other programs from running (to date we have only identified Spotify as affected – and why is that on your computer anyway?).

    4.  MalwareBytes Pro – this anti-malware program is the only known client-based product that will block this infection.  If you have Malware Bytes free version on your computer, it will only identify the infection during a   scan, but will not block it from executing. MalwareBytes Pro (for $25) is very good protection against this and other threats particularly you use your laptop on other networks.

    An important note – removal of the infection does NOT remove the encryption from your files.  The only way to decrypt those files is by paying the ransom using anonymous web currency like BitCoins – and even then you are not assured of success as these hackers move from host to host and the server that originally delivered the payload may no longer be in use.  The only post-infection protection is a current backup which has been run before the time of infection.




  • With XP No Longer Supported, USB-borne Viruses Proliferate

    It has been less than a month that Microsoft has ended official support for Windows XP, and already an exploit has been discovered. Microsoft has provided warning to users that hackers have discovered a very critical and unpatched Windows vulnerability involving USB flash drives that have been infected. This is the first exploit to hit Windows XP Service Pack two, and when Microsoft finally discovers a fix for the infected USB flash drive problem, they will NOT send out a security fix or patch for a machine still running Windows XP Service Pack 2.

    Following are instructions for removing USB borne viruses but they may not be successful depending on the strain you have picked up. These instructions require downloading 2 free products –  RKILL and SuperAntiSpyware (links below).  As always make sure your antivirus software is current, and optionally, disable Autorun on your system to prevent any USB drives to automatically execute when plugged into your system.

    Following are some instructions that we have used to remove these USB viruses.

    Tools Required:

    RKILL (http://www.bleepingcomputer.com/download/anti-virus/rkill)
    (click on the first blue “Download Now” button)
    SuperAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE)

    Steps to remove the threat:

    1. Reboot the PC into Safe Mode with Networking
    (press F8 during startup to bring up the menu to choose Safe Mode)

    2. Start the Windows Task Manager (Ctrl-Alt-Del) and manually terminate any virus-related processes.  These would be any processes that you don’t recognize.  Don’t terminate explorer.exe, but in general you can terminate most others.  Windows will not let you terminate any processes that it needs to keep running.  Optionally  you can skip this step and try your luck by continuing with the remainder of these instructions.

    3. This virus may hide all the files on your computer and on the desktop.  If the files on the Desktop and in My Computer are hidden, change the attributes of the drive in question to show the hidden files
    - Browse to Start >> Run, and type “cmd”
    - Type “cd\” and press Enter to browse to the root of the hard drive (C:\)
    - Type the command “attrib -s -h /S /D” and press Enter to un-hide all the files & folders.  Be sure to include the spaces after attrib and after each attribute.

    4. To make sure the virus is not running, start the “RKILL” program and let it run to completion. This should take less than 5 minutes to complete (usually closer to 1 minute).

    4.5. If RKILL fails, or if you are unable to run any Executable programs (.exe files), you will need to fix the .EXE exensions using the following script:
    (download the file to your desktop and run that file to make the necessary changes to allow .EXE files to run)

    5. Once RKILL has completed, install, update, and run a Full Scan using SuperAntiSpyware. This program should detect the virus and present the option to remove it once the scan is complete.

  • Should I Install Windows XP Service Pack 3?

    If you’re keeping Windows patched as you should by using Microsoft Update, you likely have already been prompted to install Service Pack 3 for Windows XP. Like its predecessor (SP2), SP3 is a significant installation (no I didn’t say improvement) that will require a lengthy install and update process. There have been limited reports of crashes, non-boots and blue screens associated with SP3 mainly on HP/AMD systems.

    As always, one has to balance the potential upside of installing a service pack against the technical risk that it might do something bad to your system. It’s been easy to make the decision in the past as Microsoft Service Packs typically closed dangerous security holes in the operating system. In this case however, SP3 has nothing (or very little) to do with security and most likely will not help you in any way at all.

    So what does it do? Check Paul Thurrott’s Supersite for Windows for a summary of the changes and answers to other SP3 questions. If after reading the article, you decide NOT to install SP3, here’s what you need to do:

    1. If you have automatic updates turned on you will eventually see the little gold shield in your system tray telling you there are new updates available. Double-click the shield to open Windows Update and select “Custom”. Then review the list of updates and un-check Windows Service Pack 3. Now go ahead an install the remaining updates. You will be asked if you want Windows to notify you about the SP3 update in the future. Say No. Windows will accept your answer at least for a while, but will remind you sometime again in the future. Just keep saying No each time.
    2. If you don’t have Automatic Updates turned on, you need to stop reading this article, go to your Control Panel and turn on Automatic Updates right now. Check either of the first two radio buttons ( “download and install automatically”, or”download updates for me but let me choose when to install them”. This assures that you get the weekly critical security patches.