Old Malware Never Dies

Even though we all know that new malware is being introduced every day, it's important to remember that all the old examples may still be a threat too. The only difference is that those old techniques and methods are continually refined to incorporate the sophistication of modern malware.

Just as early viruses were spread via infected floppy disks (remember those?), a common distribution method for today's malware is the ubiquitous USB thumb drive. The infamous Stuxnet worm has infected many computers that weren't even connected to the Internet, using the lowly thumb drive.

In the past, any USB device or CD/DVD would automatically start its default program as soon as that device or disk was detected. To prevent this type of attack, you should make sure the Autoplay option is disabled on all computers for which you are responsible.

Another common attack vector used by early viruses was to infect the boot sector of the hard drive (or floppy disk), thus ensuring that the malware would start every time the computer was rebooted. That technique sat mostly unused for quite a few years, but it has again become common in recent malware samples.

One of the most successful examples of malware in terms of computers infected was the Conficker worm. First detected in November, 2008, it is estimated to have infected as many as 15 million computers at its peak. Even now, more than three years after its initial release, the most recent estimates are that somewhere between 1.5 million and 5 million computers are still infected by this virus.

The most recent form of attack to be resurrected involves a widespread strain of rogue security programs, known generically as the Fake HDD family of rogues. These programs take a different approach from the popular "Your computer is infected" scareware; instead, they notify the user that their computer's hard drive is failing. The only cure, of course, is to buy their program to restore the computer to full functionality.

The most widespread member of this family was Windows Recovery, which first appeared early in 2011. To make its warnings appear more credible, this rogue hid all programs and data files on the infected computer, and removed most icons from the desktop. This program was most prevalent through the first half of 2011.

But in early November, 2011 a successor to Windows Recovery began appearing on thousands of Windows-based computers around the world. This one is named System Fix, and it shares many of the characteristics previously found in Windows Recovery.

As with Windows Recovery, System Fix hides all programs and data files, removes most icons from the desktop, and replaces any wallpaper with a blank background. But it also removes most options from the Start menu, including the Run and Search (or Find) command, and blocks access to the Command Prompt. Even booting into Safe Mode makes no difference to this "new and improved" rogue security program.

As with most such programs, there is a cure that does not involve paying the producer of this software for their bogus "fix." Following the procedures and methodology taught in the Virus Remediation Training workshop, and using the Virus Repair Toolkit included with this course, a competent computer-support technician can remove this infection and return the computer to its pre-infection state in less than one hour.