Ah for a quiet weekend…

Working in the finance security I am looking forward to a quiet 4th of July with my own projects to work on:

Re-casing my E-71 Nokia, does everything I need, has the right apps (turn by turn GPS, Verisign passcoding and everything) and a battery life in weeks, I am not sure what all the hub-bub of iPhone 4s is all about. Picked up a cheap white keyboard and dark case off Ebay a while back to dress-up my constant companion.

Also my local ISP offered me 6months at 40d/20u DSL2 speeds for less than I was spending on my 20d/5u. My poor old Linksys WRT54GS 2.1 with dd-wrt firmware wasn’t able to keep up.

So I was looking at the new crop of Netgear N rounters, but they all have firmware issues and even with dd-wrt firmwares, they still have config issues…what to do!?!?

Well a peer in my dept put me on to loading up a Soekris box with a a Free or Open BSD OS, (choosing between Monowall or PFsense) secure, solid and very low power usage. Funny, when I was webmaster at Intel, I had a BSDI proxy/firewall that was the size of my front door, now the same power fit in the palm of my hand (board, the case is a bit better). Soekris as makes a sub-board called a 1401 that does VPN (A “Virtural Private Network” tunnel that goes through the internet), to keep script kiddies and pineapple routers from reading my private email in my local coffeehouse.

But instead I got to enjoy my first day fighting a virus at one of the local art galleries I support technically. I’ve seen this one on a few newbies and novice computer users systems. It’s the sysinternals anti-malware(Contrary to name, it itself is a virus/malware), first the user gets a pop-up that says their computer is infected, if they click on it in any way, even to close it triggers a package and loads up on the system with “Scareware” saying everything is infected and then extorts money out of the user (and probably steals the credit card number) to get rid of fake viruses it’s planting itself.

A few ways to avoid it, A good virus scanner and don’t use IE. AND DON’T click on pop-ups. Kill the browser session and reload!

Actually if you use Firefox and aren’t in an IE Tab session, you should be ok, if you are in an IE tab session, just close the tab.

How to get rid of it is tricky, depending on version, it sets up a fault proxy to block your browsers, it sets up a new home page in IE to direct your browser on opening to get you re-infected, it hides itself as svhost (a system file), it sets up registry links to reload itself if removed and puts itself in the registry so if you do remove it, Windows forgets what an EXE is.

It also sets up a group policy to block from the system being able to use Microsoft Update. Insidious is an understatement.

A few evenings and 4 hours yesterday with a mixture of hijackthis, Trinity and the Ultimate boot Disk 3.5, Avira, Avast and Malwarebytes and I think the system is fixed. But to honest, I never feel I can trust a system once infected, if given the choice I would recommend saving whatever data files you need and doing a complete re-install.

We’ll see. Of course the gallery can’t pay me. Art isn’t selling these days but hopefully it will all come out evenly in the wash and there is one less infected on the net…

Hopefully the rest of my weekend is quieter…