The Innocent User & His Kingdom of Viruses

If you’re a Facebook user, odds are you’ve seen it. Joe Smith posts a new status that says something to the effect of, “Check out the picture I found of you.” It is followed by a link consisting of a series of random letters and numbers. Now, the dilemma ensues.

OMG! Joe has a picture of me?! OMG! I just have to see it. I know it looks shady and it might be a virus, but if there is even a chance that there is some random picture of me out on the Internet, it is totally worth the risk of costing my company countless IT engineering dollars too fight a potential virus.

The user can’t resist and decides to click the link. It produces a “Page Not Found” error. “Well maybe if I click on it 7-8 more times it will come up.”

At this point, that little bot that was downloaded on the first attempt now has 7-8 little bot friends. In a couple days they are going to have a web browser pop-up party on the user’s screen and their Google home page will be redirected to some site of questionable moral fiber.

The user isn’t going to report it right away because they are so embarrassed. When they do report it, they have been doing NOTHING but work for the past 2 weeks and would not even think of surfing Facebook during work hours. It is officially the anti-virus software and the IT administrator’s fault. Lengthy Safe Mode scans with software like Malwarebytes or SuperAntiSpyware find numerous infections in repeated scans eventually prompting the need for a full rebuild of the PC.

How can this be prevented

First of all, nothing can prevent 100% of spyware, malware, and viruses. It can only be reduced, but quite drastically if your users are willing to make some basic adjustments.

Option 1

Attempt to train your users not to click on anything suspicious. Unfortunately, the writers of this malicious code are not just dumb vandals. They are very creative in figuring out ways to trick users. The thought of a Facebook friend having a random picture of you is irresistible to most users and worth the risk to them to click on the link…..repeatedly. There are simply too many tricks out there that eventually catch everyone including the writer of this blog.

As an aside, I got an IM from an “infected friend” that said, “Hey Jed. Check out the video I took.” Ironically enough I was at a wedding with that friend 2 weekends prior and he had his video camera with him. I was duped. This option should be employed as a default, but not as the sole solution.

Option 2

Implement an anti-malware software suite. This is a better option when used in conjunction with option 1, but will still not significantly reduce malware. The writers of malware are always a step ahead of the software providers and something will always slip through the cracks. Most anti-malware software out there are strong reactive tools but not as strong from a proactive standpoint.

Option 3

Remove a users ability to install anything. Typically over the past couple of years users have been setup with local administrative rights on their personal PC’s or laptops. This typically gives that back-door malware the permissions it needs to install itself. Through the use of a Group Policy setting, IT administrators can strip all local administrative rights from the users. This way, most pieces of malware that try to sneak in will not be able to install themselves. The user will simply not have the permissions to do so.

The downside to this method is that users will find themselves unable to install certain software updates or printers or perform other tasks on their PC’s that they were used to doing. This can cause a bit more IT administrative time, but considerably less time than running lengthy malware scans or performing a complete rebuild of an infected machine.

There are a couple of ways around this caveat. For example, a local administrator could be setup on every machine and the password given to the user. If a software update needs to happen, the user will be prompted for credentials. Of course we are making the assumption that the user will have the wherewithal to not enter those credentials after they clicked on Joe Smith’s link to your photos, but as I mentioned above, nothing is 100% failsafe. The best option is to work with your IT administrator to come up with the best solution for you users and your environment.

There are other options such as content blocking at the firewall level, but this blog was assuming a minimal capital investment. With some creativity and due diligence, the risks of becoming infected with malware can be drastically reduced.