SortedPC.net

Periodically the media get excited about computer security - how accurate is the coverage and what steps should users take to meet any threat?

The BBC carried a report on 11 January about the mebroot trojan. The report states "Although the password-stealing programs that Mebroot installs can be found by security software, few commercial anti-virus packages currently detect its presence". Having checked the Symantec and Sophos websites, both clain that the latest versions of their anti-virus software do detect mebroot.

Is there anything a user can do, however, if their anti-virus software (or malware detection software - such as Windows Defender) is out-of-date? First, it's worth reading the Technical Details on the trojan - which gives details of the its actions, processes and file locations.

All malicious code, that is intended to do something - harvest passwords or browsing history, has to create a process to do the work. However, mebroot and other kernel level rootkit trojans, have the capacity to alter the operating system and circumvert system tools as Windows Task Manager which might report them. Nonetheless, it is always worth checking Task Manager (by pressing CTL + ALT + DELETE simultaneously)





and selecting 'Processes' from the tabs on the first window. In this case I've highlighted wowexec.exe because I don't know what it is. I can then check its identity and purpose at ProcessLibrary.com which reveals that:

• "wowexec.exe is a part the operating system, and supports the use of 16-bit processes within Windows NT, 2000, XP and later version of Windows.This program is important for the stable and secure running of your computer and should not be terminated."

Let's assume that we can't detect any process created by mebroot - what next? We could dismount the hard drive that may be infected and mount it on another PC as a slave drive and use anti-virus/trojan software to check it - which may be what needs to be done. But before doing that it is worth checking your firewall for unexpected connections to the internet - ZoneAlarm, for instance, will usually alert you if this happens. If internet traffic is occurring at a time when you're not using the web or e-mail, then note the process shown by the firewall and check its identity at ProcessLibrary.com or on the Microsoft Support Website.

Also, it's worth ensuring that anti-virus and anti-malware software is as up-to-date as possible. Lavasoft update the definition file for AdAware at least monthly.

Finally, avoiding opening unrecognised e-mails or accessing unknown websites is a time- and cost-effective way to reduce the chances of infection.

15 January 2008

Trackback URL for this post: