Monday, 7 March 2016

The downside of malware

Here's what happens if you become a victim.

Your antivirus will most likely not protect you. Because when I test antiviruses on stuff I get emailed, maybe 5 or 10% is flagged.

Once the ransomware is in, you're screwed. Even if you pay the several hundred pounds, you might not get all your data back, because what are you going to do, sue the criminals? Demand a refund?

Ransomware is a profitable business, and easy to get into, so it's going to grow massively. And anyone can be a victim; they don't target, they scattershot. Because anyone can afford the few hundred pounds they're asking for. Multiply that by a milliion victims (and that's a million so far) and you're stealing a good income.

So what can you do?

As far as I know, there's no product currently on the market to protect you. That's not, I think, because it's not possible to write a product, it's because most people think that existing products are useful, with their claimed and certified 100% effectiveness.

How do I know? Because I get several dozen emails per week including malware, and when I test them using VirusTotal, about 95% of products do not flag the malware. And you can do the same test, and see for yourself. If I were paying for an antivirus, I'd be demanding a refund, on the grounds of "not fit for purpose".

It is possible to write a useful product. I even have a demonstration of this. Sooner or later, someone will write a useful product (it won't be me, I'm having too much fun biking, geocaching and playing Civilization) and will make a ton of money. But until then?

1) Make sure that your Word and Excel don't run macros. And when you load a file into them that asks you to enable macros, DON'T DO IT!

2) Get rid of Adobe Acrobat, there's a flaw in it that people emailing PDFs to you can exploit. Instead, download and install a different PDF reader.

3) If someone includes an attachment in an email, don't open it, don't click on it.

4) If you think that an email came from a friend, you should be aware that to pretend that an email came from someone that it didn't come from, is as easy as it is to put a false return address on an envelope.

5) And I get several emails per week that really did come from the email address of someone I know, but which weern't sent by that person. They were sent by someone who hacked the email address.

6) To guard agains malvertising (malicious adverts), run an ad blocker (I use uBlock) and a javascript blocker (I use Noscript).

7) Flash is vulnerable. I've updated is several times, and each time, a new vulnerability is found, and I have to update it again.

8) Do backups,. That won't necessarily protect you from malware (imagine if your files are encrypted, and you've backed up the encrypted files to your backups) but they will help agains hardware failure.

And cross your fingers if you're relying on antivirus software, because your crossed fingers are more effective than the software.


  1. Most - if not all - your Virustotal test scans are on the downloaders, not the payload. You might get better results on the payload. Moreover, most A/V products come with some kind of heuristic process monitor, which doesn't rely on the outdated idea of file signatures. The process monitor should be able to warn against a payload's behaviour, if it is about to do something bad, regardless of whether the payload is in a product's detection database or not.

  2. I can't test that, though.