I know, I know, don’t open stuff you are suspicious of. But this was from my former boss and good friend and it was headed “important” etc, which should have been the tip off. Just opening the email (with his correct address) brought a message from him that said, “Please read this and get back to me immediately.” To get to the message you had to click on a very plain “click here,” which I did. This took me to Google Drive and a whole bunch of (presumably) Google info about how wonderful this app (let’s call it that) was. Of course it needed my email address and password (another red flag, I’m sure, entered in the official looking logo of AOL, G-Mail, and other providers. So I did and wound up as part of Google Drive’s brigade, although I have no idea what that gets me. I called a mutual friend and he said, “You know “Bob” would never send such an email, he barely knows how to log on!” I emailed “Bob,” which is not his real name, and he fired back that he did not send any message. I’m guessing, he was hacked, but to what end?

Curious as to what might have happened I went part way back to the link, which begins with “Download Drive for PC,” ignored the first security warning from Norton (the one that asks, "Do you know who sent this? ) and got “googledrivesync.exe” a 756 kb application from dl.google.com. At the run or save prompt I got another security warning from AOL Browser and decided not to click on the same exe file again, this one from Google Inc.

So now what?

Help! Advice! Or a cup of hemlock?

Change your email password and user log in name.
That’s a start.

And if you have no need for Google Drive I’d uninstall it. At minimum it’s a resource hog.

Google Drive is a legit app. If it in fact came from the google servers, then it alone is a safe install… I’m running it on my system now. I also have the Android version on my tablet. Its an offline component of Google’s “cloud” storage system.

Now, beyond that, I’d make absolutely certain that your antivirus is up to date, that windows has been updated with every patch that microsoft has available for your system.

As long as you are up to date, the odds of getting infected is slim, though still possible via Zero-Day exploits (ZD’s are when the security community learns of a vulnerability from the fact that an exploit is already in the wild infecting systems)

One thing to keep in mind, make absolute certain that you have current backups of your data. If ever you get infected by something nasty, the easiest fix is to format the hard drive, wipe it clean and restore from your factory recovery discs. You did remember to burn those discs when you got your new system, right?

And, as a general rule, Windows can actually benefit from a reinstall occasionally. As you install/uninstall applications and other activities, the system gets fragmented (not as in fragmented on the hard drive, but internally within the control files of the system itself. It also leaves snippets of code in the system which can eventually create unstable conditions. If your system is running more slowly than when you got it, but not slow enough to suggest an infection, you may have just reached the point where a reinstall can benefit you.

As a warning, Keep in mind, Windows XP reaches its end of life in April, 2014. After that, there will be NO updates, critical vulnerability patches or otherwise. XP will finally be dead. Unfortunately, 7 is already closing on its end of life as well. 8 Is really your best bet. With the addition of “ClassicShell” you can get a Win7 interface with the Win8 backend, which really is a good system (objectively). Its just microsoft has a real problem with interface design. (Remember Vista?)

On a related but separate point:

Run Firefox or Chrome NOT Internet Explorer

Run ThunderBird NOT Outlook (any version including express) Thunderbird is now in end of life itself, so you will need to find a new client. I use Gmail, so I don’t need a stand alone client.

For FireFox or Chrome, get a password manager for your accounts. I use “LastPass” (http://www.lastpass.com) addon. I have a 20+ character password that is easy for me to remember, but isn’t a dictionary word. It leverages all the different variables: lower case & upper case - numbers & symbols. This password is reasonably secure and its theonly one I need to remember. If there is an issue, I change ONE password. LastPass contains a secure password generator which can leverage all the different password character variables and can be told to make your passwords as long as you like. I was running 20-character randomly generated PWs as a base default, but have now upgraded them to 512-bit passwords. I only shrink my security level down when the site I’m trying to join won’t accept my default security level.

Because of the plugin, LastPass’s servers can directly access any login I use. When I login to LSC, my plugin recognizes the fact and offers to remember my username & password, and then after it can even automatically log me in, or just fill in the fields, its my choice. And, when a site uses somethign strange that the plugin doesn’t recognise, I can still login to the lastpass server, access my secure “vault” and pull up my password & do a copy/paste.

Because I have last pass generate my passwords, each is unique and completely random, to whatever strength I desire. By making them unique (as the security experts highly recommend) I don’t have to worry about someone hacking one password and using it on another account. This IS a concern for me, because one thing I do which lowers my overall security level is use the same username across all my accounts. However I choose to accept this vulnerability in order to lock up my identify online. Even if I don’t use a popular service, I have an account there in order to ensure no one else can register my name and impersonate me. This is why I depend on strong, cryptographically secure passwords to defend my accounts. This is only possible because of LastPass and services like it.

Another nice feature of LastPass is that it is YubiKey enabled. the YubiKey is a single-touch USB authentication dongle which can work in either static pre-programmed mode, or in a dynamic cryptographically secure mode which generates a one-time password on the fly using a secure algorithm and standard encryption. This is then confirmed via a back-end link between LastPass and YubiKey’s servers (http://www.yubico.com) and verified. Once the authorization is confirmed by Yubico, lastpass will log you in… but you don’t need to use yubico for last pass, it just makes it that much more secure.

YubiKey was originally “discovered” by accident by Steve Gibson of the Gibson Research Corporation when they were shut out of the RSA conference a few years ago. Steve and Leo then brought YubiKey to the world via their podcast on the “This Week In Tech” (TWiT) network called Security Now! If the YubiKey intrigues you, please use this link to activate the Google search function on Steve’s site at grc.com: http://snipurl.com/grc-yubi . This will pull up all references to the YubiKey, and you can even listen to their original podcast from way back in 2008: http://twit.tv/show/security-now/141

Edit: Fixed the huge search link URL to Steve’s site… Used SnipURL.com which Steve uses frequently on the show as well.

John, Jon, and J.D., thanks.

JD - My objection to any passwords being stored on an external server/service is I never know how they are stored. If the service or server is using a Microsoft O/S, they are most likely stored in a text file of some nature. MS has never gotten past that because they want the ability to ‘find’ passwords. My concern is that they get hacked. I am sure the hackers are working on them as well as everybody else.

If they are running a Unix / Linux O/S, then they may be stored in a ‘hash’ pattern that is not reversible. So it therefore makes it almost impossible to hack.

My employer (a government sub-contractor) requires 15-30 character passwords, changed every 90 days, and similarity is checked for, so they must be DIFFERENT. PW’s must contain all four character types (caps, lower case, numbers and special characters). From what I have read on passwords, this is the most practical of the security schemes with the highest level of security. Most people have issues when they NEVER change password until they have a problem. That is sort of like closing the gate after the horse is long gone.

Bob C.

Actually a higher form of security is the rolling code key fob where it has an lcd display and the code changes every 10 minutes… pretty much impossible to crack, and easier to use than remembering long passwords.

By the way, all companies that store passwords as a business encrypt them. The password file on a Windows server, or windows workstation has been encrypted forever.

And the linux password is easier to bypass than the windows one, takes me about 5 minutes on linux vs. 10 on windows, just boot into single user mode.

Greg

Greg Elmassian said:

And the linux password is easier to bypass than the windows one, takes me about 10 minutes on linux vs. 5 on windows.

Greg

Greg, sitting at the console almost any system can be hacked if you have all the right tools available. Access from the outside is another story, the story I was referring to. With a simple Linux bootable CD there is no Windows or Linux system I can’t get into, given a console and time.

Bob C.

Bob, as for your concerns re LastPass’s storage of your password data, obviously they have to be in a format that they can be read. A Hash results in a one-way encryption, ie you can “hah” something and see if the new hash matches the hash you have. But, even having the hash, and the algorithm that created it, you cannot be certain that you have the exact “plain-text” data that went into it.

As for Last Pass, Steve Gibson has given it his stamp of approval. If its good enough for him, its good enough for me. But in any case, I’ve been using LastPass since before I even heard of Gibson or Security Now… or of TWiT for that matter.

Greg… the one time fob you speak of, thats where I mentioned the use of the YubiKey. YubiKey has an onboard one-way passcode and a number generator (I forget teh actual context, but its supposed to be psuedo-random) That passcode and generator have a duplicate on the yubiserver. When you press the button on the key, it enters the result of its encryption into your password field. That is then sent to the yubiserver, where the server hacks apart the credential to get the unique identifier of the yubikey and the encrypted stream it has generated. Using the same algorithm on the server, it generates a ciphered stream and then compares the result to what the site sent it. Only if it matches does YubiCo then send back the notification that they have confirmed the authority to gain access to the… whatever, in this case, log into lastpass.

Basically, the yubikey plugs into the usb port, and when you focus on a text box and press the only control on the key, it types in an ecrypted string which includes a unique identifyier as well as the one-time passcode. The server then ensures that the one time pass code is encrypted by the same key which it is claiming to be, which is registered with lastpass. Only if all these things match is access granted.

Its multifactor authentication at its best: somethign you are: your user ID - somethign you know: your password - somethign you have; your yubiCode

You guys are very helpful and super knowledable, but yer talkin’ way–yyy above my head. I guess what I’m loooking for–aside from some helpful hints–is reassurance that somewhere in my computer’s inards there is not malware (I fear key logging most) that will snag my Visa card when I buy something from Amazon.

I run Windoze 7 premium, Malwarebytes Windows firewall and Avast. Never been infected, Simple. The other thing I never do is open emails from friends with a link in them that leads me to somewhere that I don’t know, or I am suspicious of. Thunderbird seems to catch a lot of scam mail as well and junks it.

Grant and all, you are so right about not opening stuff. But this was the perfect storm–a former boss/good buddy who is working on a project that he once said he might need help with, a simple “click here” note at the end of his post, which led me to think there might be an attachment (clicking took me to the invitation to sign up for Drive, and then the simple, “Enter screen name and password” box under a very official looking AOL logo (there were other providers to choose from as well). At that point I shoulda said, “Whoa,” but emotions being what they are, I didn’t. It did actually “sign me up” for Drive, which I purged, for all the good that did. Lesson learned.

BTW, I called my friend and he said that indeed he’d been hacked and that his “message” went out to several contacts, including a well-known, retired British racing driver (not Jackie Stewart), who called back and said, “Wha…?”

Joe, honestly, I think its time to take your system to a reputable dealer. Someone who can pull the drive(s) out and scan them on a system without booting from them.

That’s the only way to ensure you didn’t get some nasty piece of malware, the type that can hook into the system kernel and make itself invisible upon boot. By scanning the drive(s) in a system that doesn’t boot from your drives, you are able side-step any teh malware’s protections which would normally be activated upon bootup.

As for downloading anything that could clean the system for you… the trouble with this theory is that you are worried that the system might have already been compromised. If it has, the antivirus is now running on top of a compromised system. There is only so many tricks antivirus can use before it simply has to rely on the “honesty” of the operating system. If the OS has been tricked by the malware’s protections, it can’t report honestly to the AV software.

The best protection is to have a strong defense which protects you: AntiVirus, AntiSpam, AntiMalware, Firewall and the ABSOLUTE most important protection: BACKUP YOUR DATA!

Most malwar these days has deep seeded hooks into the OS kernel that the only certain way to get rid of an infection is the “nuclear” option: format the hard drive and rebuild the system from the drive partition tables up.

Unless you feel comfortable doing this, its why I recommend a reputable, trustworthy dealer… and unfortunately that doesn’t mean Geek Squad.

Joe, going forward, never EVER click a link in an email. It is a sure effective way to get yourself infected with something nasty. Its one thing we have to train ourselves, like you said, you were actually expecting something from this person. Even somethign as simple as a PDF can carry code, and we all know how notorious Adobe is for the exploits in their software!

Yes, Sister! That’s just a little Catholic school humor and a rememberance of things past. It was the only time I ever behaved as I was told.

Entirely likely that neither of you was hacked, but a third party entirely. All the perpetrator needed was a list of email addresses that included you both.

(http://sphotos-b.xx.fbcdn.net/hphotos-frc3/485158_575573232475584_1522065055_n.jpg)

Tom, just spotted your reply and tend to agree because…touch wood…

Being supersticious, I’m afraid to tell you why I agree because about the time I start to feel smarmy, all heck will break loose.

J.D., since you seem to be the designated hitter, I have more questions.

When I send things like photos from My Pictures and my various Photoshop apps, plus documents, to an external hard drive, is that alleged virus/worm that’s possibly lurking on my OS part, get sent to the external drive too? Or does it just stay with that part of the hard drive that contains operating stuff?

Is all that stuff like Favorite Sites, which included MLS and other serious things, stored on AOL, or on your computer? Or both? What I’m wondering is, can the perp, assuming he is in my OS, get to my favorite sites without logging onto my AOL account? Or does he gotta log on, if he can?

If I get a new hard drive (they’re pretty cheap and I’d go really big), I’d have to load it up with all of my programs from Windows to Photoshop, right? Or could they be stored on my external drive and then downloaded into the new internal drive–without corrupting it?

Sorry to be a pest.

Joe, never a problem. While too much information can be overload, as long as you don’t act on something you “think” you understand, there can never be too much information. I prefer to think of non-geeks simply as people who have not received enough info to have earned their propeller beanie.

Can it get to an external drive? Ans: Possibly. Consider it infected. These new worms have all sorts of countermeasures and defense subroutines to assist in their infection and propagation. When an external media is connected to your system, there are system requests that are made, to connect the device to the USB hub, to mount the volume and provide it with a drive letter, etc. All these can be tagged in the kernel by malware to give it a heads up that something has been added and that it should investigate to see if it can infect something there to extend its reach.

Does this mean you are already hosed if infected? Ans: Not necessarily. One nice thing about external media, especially USB hard drives, is that just because they may boot within the USB inclosure, doesn’t meant that they can force something through the cable to your system to run. However, don’t assume that it can’t either. NEVER underestimate the ability of malware to to be smarter than you. (no offense) In this case, you can backup all your data to an external device (preferably a SECOND device to avoid infecting your current backup if it isn’t already) wipe your system and do a clean install. Once up to date with all your patches and a couple of GOOD anti-malware programs (My current arsenel: Avast Antivirus, MalwareBytes, SuperAntiSpyWare) that have the latest definition files, you should be roughly 98% safe in connecting your infected drive to the system. With adequate protection, even if the malware tries to bootup, your clean system should be able to defend itself. Even if it can’t, the latest definition files should ensure that the system will at least recognize that it has been compromised. This is the point where you NEED to take it to a qualified technician who can boot a system and ensure that your drive is NOT booting, that it is just a “dumb” data drive. Then they can run their own cleanup utilities and disinfect you files. Just keep in mind, if the infection is that deep, there is the possibility that some files may be SO infected that the only recourse is deletion… you did have multiple backups, right?

Can it gain access to my favorites/bookmarks? Depends. You give the appearance that you are using AOL, correct? I never did get on that particular bandwagon and therefore cannot give you a 100% accurate answer to that. However, I would assume that if the malware is deeply hooked into your system kernel, then it has access to anything you have access to. This is the main reason why every security-aware person will tell you DO NOT RUN AS AN ADMIN. If you can make changes to your system, so can the malware when it tries to run. Again, I would perform a full system restore and only after getting your system back to operation would I log into anything sensitive. Do you have passwords stored locally by your browser? That could be a problem as there have been security flaws in that process before. At one time IE stored all that information locally in a NON-encrypted text file. Guess how much power it took worms to crack that egg?

If I get a new hard drive to I have to reinstall everything? Ans: No, technically you could ghost everything over to the new drive. Having said that, DON’T DO IT!!! If you are going to pop for a new drive… 3-4terabyte drives can be gotten from Newegg for as little as 100-120… then you might as well go through the process to do a complete full CLEAN install of all your software. If you have a factory made system (HP, IBM, DELL, etc) then somewhere you have the recovery discs which will place a factory image of all the software including the full windows installation onto your drive. However, this MIGHT possibly be tied to the hardware and MIGHT not work with a new drive. This is a slim chance, but still possible. If this was a custom system from a local dealer or one you built yourself then you should still have all the discs for the software and will only need to spend the time to do the work. Its long and boring, but building a system yourself can have a serious “hey I did that” cool-factor that is worth a lot more than you save by having someone else build it for you.

Op. Ed.:

Okay, now that I answered your questions, keep this in mind: a) if you have NO tech experience, trying to disinfect a deeply rooted malware is a painful task which can actually hose your system if not done EXACTLY right. If you don’t feel comfortable with the possibility of turning your desktop into a paperweight, then I’d seek out someone local to do teh work. It will cost several dollars more than you doing it, but as long as they are reliable, you will have a full working, clean, trustworthy system when they are done.

It is that factor of trust that I value the most. I’ve occasionally hit up a “file blocked” screen from my antivirus. That I’m okay with. What worries me is when it starts acting weird. At that point, its time for the “nuclear” option of formatting and reinstalling windows and my software. Because once you are infected, its very hard to disinfect, and you can never be 100% certain it didn’t leave some little backdoor or trojan code behind that will come back to bite you in a few weeks. Its just not worth the worry.

Two years ago or so I got hit with just such a bug. It took me days just to get a handle on the bug’s identity. It then took me a week of hacking my registry and manually reinstalling uninfected DLL files from the windows install discs to just be able to get my antivirus program able to run. It updated and removed the infection. I rebooted to do a full boottime scan… and immediately got a blue screen of death. Some of teh files infected so deeply my AV had no choice to just delete them. Out came the old DOS F-bomb: Format c: /sys I ended up using that as an excuse to build a new quad-core system, which has since been upgraded to a hex-core chip. Only time malware ever did me a favor, lol.

Keep us advised of whats going on.