How I Got Hacked... And Why You MUST Have a Backup!

Category: Backup , Security

Last week I heard from a friend who thought she might have been infected by a virus. When she visited her own website, it was redirecting her to another web address. It sounded like a simple Javascript redirect, so I assumed it would be safe to visit her site and see where the problem was. Turns out that was a BIG mistake! Find out what happened to my computer, and how I finally managed to recover from the damage...

Are You Vulnerable to Drive-By Malware?

Here's the executive summary: If your friend says "I think my website has a virus, and is redirecting to a russian porn site" -- don't assume your anti-virus software and fully updated operating system will protect you when you go to have a look-see. I did, and it took me about 8 hours to clean up the damage. But there are some valuable lessons to be learned here, so I hope you'll read on.

I always knew there was a slight chance that I could get a virus, because of the "arms race" that exists between the Evil Hackers and the Good Guys who provide anti-virus software. A virus appears, the anti-virus folks add code to protect against it, and then the virus morphs -- sometimes automatically. It's a bit like weeds that become resistant to pesticides.

But I was convinced that all those "drive-by virus infection" scenarios only affected people who would click or download almost anything, those who failed to apply their Windows Update security patches, or those who ran expired anti-malware protection. It turns out I was wrong. There was a pretty nasty "drive-by" virus in one of the many popups that appeared after visiting the hacked website. My anti-virus program caught and quarantined one attack, but didn't fully protect me.
Evil Hacker

In the case of the hacked website I visited, there were some dormant WordPress installations on the same server that had unpatched vulnerabilities. Once the hackers got in there, they had access to everything on the server, and left their evil payload on the home page of my friend's website. I noticed the following after closing all the popups and restarting my browser:

- Google searches worked fine, but when I clicked on any of the hits presented by Google, it would redirect me to a Russian hacker site.
- It allowed me to download MBAM, but after it ran for a few minutes, the task was killed.
- It allowed me to run Windows Defender, but it also was killed off quickly, and would not restart.

Let's Get This Mess Cleaned Up...

I decided to run a "full scan" with AVG, and that ran for about 45 minutes. But it ended with a Blue Screen of Death and an abrupt shutdown. Afterwards, I could not reboot my machine. I figured that either the Master Boot Record or my hard drive partition was hosed. Time to get out the power tools...

The XP install disc would not complete booting, so I couldn't load the recovery tools and run FIXBOOT or FIXMBR. My Bart PE recovery disk told me I didn't have a C: drive. My Acronis rescue disk couldn't find the C: drive, either, and gave me the impression that my backup image was corrupted. I considered taking out the hard drive and popping it into my external USB drive kit, so I could inspect the drive while connected to another computer. But my computer has two drives in a RAID configuration, so I didn't think that would work.

This was looking like a total loss. My last hope was the Gateway Recovery Disk that came with the machine, which formatted my hard drive and reloaded the factory image. It was like being in 2006 again. (Yes, I've had my primary "work" computer that long.) This at least allowed me to download and run my Acronis backup software (once I dug two license keys out of my old Gmail messages) and retry my attempt at loading the backup image, which was only a day old.

Fortunately, that worked, so it's back to the future, and all is well. But the ordeal cost me eight hours of white knuckled anxiety. Here's what I learned and/or remembered as a result of this nightmarish ordeal, and how you can benefit:

Backups Ebook


  1. It really could happen to you. Even if you don't frequent the dark corners of the Internet, even if you're very careful where you click and what you download, you could get zapped by a virus that slips by your anti-malware defenses. And it could get ugly.

  2. No protection is 100 percent. If it happened to you, do you have a full-image backup? Preferably with incremental daily backups? It could save your bacon.

  3. Wear gloves. If you're going to visit a website that you suspect has been compromised, don't touch the wires without proper insulation. If I had fired up a virtual machine or a sandbox environment, the damage would have been contained and easily cleaned up with a few clicks.


Are you prepared for a total loss of your hard drive due to a virus, hardware failure or some other disaster? I encourage you to read my ebook Everything You Need to Know About BACKUPS, where you'll learn about backup strategies and how to get started on the road to protecting YOUR data.

Do you have something to say on this topic? Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 17 Aug 2011


For Fun: Buy Bob a Snickers.

Prev Article:
How To Buy a Computer Monitor

The Top Twenty
Next Article:
Are You Addicted To Social Media?

Most recent comments on "How I Got Hacked... And Why You MUST Have a Backup!"

(See all 46 comments for this article.)

Posted by:

Corey Church
02 Sep 2011

Question: Would Firefox using noscript prevented the drive-by downloads? I'm ultra paranoid-I use Malwarebytes Pro and Nod32 Antivirus real-time. That combo seems to work without any slowdowns.
NoScript is a pain as you need to allow certain sites to use javascript, but the protection outweighs the hassle.
GREAT article as computer security is a hobby of mine.


Posted by:

Alyssa Bereznak
02 Sep 2011

Hey Bob, I'm sure you're not going to post this but maybe if you're not smart enough to check it out in a virtual machine, 1)You shouldn't have a tech blog 2) You shouldn't be blogging about a dumb mistake in which you got what you deserved.

EDITOR'S NOTE: Alyssa, we all make mistakes. As for my smarts, I'll let my body of writing speak for itself, and others can decide. As for blogging about my mistake, I think there is great value in telling people what happened to me, so they can avoid the same problem. Please feel free to tell others how stupid I was! :-)


Posted by:

Terry
03 Sep 2011

Did you consider running "Microsoft Standalone System Sweeper Beta"? It has help me with some hard to remove items.

A couple of things you might want to do is make a backup of your Boot Sector and Partition Table. These need to be kept on a read only media not on your HD.

You might want to really take a look at why you use RAID. It has caused me more trouble that it is worth. HD are so cheap now just double up on them.

When you hover over a link it is displayed in the lower left line of most browsers or mail managers. You should get in the habit of looking there before clicking. You will soon get used to re-thinking if you should click. If in doubt just sandbox your browser, and yes noscript is a pain, but worth it.

Last, you do not have a backup unless you have three copies, in two different medias, and stored in two separate locations.


Posted by:

James
03 Sep 2011

On a typical machine, an antivirus / antispyware boot CD would usually do the trick to allow you to get rid of the main infection so that the system could be booted and run ComboFix (which, by the way, I always run in safe mode), but the author's system would not recognize drive C using one of these boot disks. That is because he has his system set in a RAID configuration, and these boot disks do not load the RAID drivers. BartPE might have worked for him had he loaded the RAID drivers when Bart asked. Also, some systems use ACHP for the SATA drives, and unless these drivers are loaded, boot CDs will not recognize their drive C either.

EDITOR'S NOTE: Good point about the RAID drivers. RAID adds a layer of complexity that's just not necessary for consumer-level computers like mine. Gateway gave me two 250GB drives and put them in a RAID config to make it look like a single 500GB drive. I've never used more than 80GB, so that wasn't the best option for me.


Posted by:

Terry
05 Sep 2011

Try downloading Hirnens (14.1 latest ver). Run utility @ power on from DVD Drive or Flash Drive. Sort out the problem b/f loading Windows, if you can. Great HDD scanware and MBR repair utilities amongst many other progs. Remember. Back up regularly!


Posted by:

Bob Greene
18 Sep 2011


Thank you for this lesson about a typical drive-by infection-- currently one of the most damaging attacks possible, and increasingly prevalent. By now, most people have had first-hand contact with this type of virus, or know somebody who has.

As a computer support staffer, I can attest that everyone from physicians to PhDs has been hit, and they remain vulnerable even afterward. No matter how careful or professional the user, and no matter what real-time ("shield") protection is installed, this is malware written by professional criminals with world-class expertise, and very hard to defeat-- let alone prevent.

So, contrary to reader Alyssa (who keeps her pantaloons entirely too tight for her own good), there is little that can be done beyond running high-quality anti-malware real-time protection, and hope to avoid accidentally starting a malware installation.

Since this kind of malware is often made by professional coders for organized crime, it is sometimes called "extortionware". Typically, after extortionware comes on board, it displays a series of bogus messages claiming detection of infection. Next, the malware solicits a "repair" operation, and sends an endless stream of obtrusive reminders every minute. Eventually, all the messages take a toll of the user's composure, who may relent and click on a message panel in an attempt to remove the plague. Of course, that desperate measure does not work.

And now, the trap has been sprung. As the infected machine progressively loses its functions-- no anti-virus scans, no internet, and sometimes not even email-- the user is told the computer can be cleaned for a certain amount of money. The user is given no guarantees, but on offering the criminals a credit card number, the system may visibly improve. Unfortunately, from all field experience, the malware itself is not removed. Worse, the criminals have their objective, and quickly put the victim's credit card number on the black market.

Extortionware is always under rapid development to defeat commercial anti-malware protection, so users must make sure they use the very latest version of protection, and keep it updated daily.
For those users lucky enough to detect the symptoms of an infection-in-process, escape is sometimes possible. Extortionware is like a "booby trap"-- it needs a triggering action like a mouse click, the ENTER key or another key to install itself and do damage. Left alone, this type of malware can do nothing except display messages.

So, the remedy for malware can be simple-- when a message displays, ignore it and shut down the computer immediately. Above all, DO NOT CLICK on the message-- not even to close the message box, and no matter how authentic the message might seem.

Again, no damage can occur unless the user starts installation by clicking on the screen area and/or pressing a keyboard key to start installation of the malware payload to the hard drive.

To shutdown, go to START, click on TURN OFF COMPUTER, and wait for normal shutdown. If shutdown does not occur after about two minutes, press in and hold in the computer's POWER button until the computer turns off. After two minutes, simply restart the system normally, and the offending messages no longer should be visible.

Since extortionware is only a variant of this malware class, and new versions are constantly developed, behavior and results may vary.


Posted by:

RocketWolf
01 Oct 2011

Great article Bob, although I just removed to adspy viruses from a customers computer that came from the Uniblue registry booster so you made want to reconsider them as a sponsor here.

I was just curious if you had a Mac or a linux/unix machine running Ubuntu or RedHat? That is how I would have visited your friends website.

Whenever I get a complaint about a suspected virus attack or suspicious problem complaints, I just use one of my two computer Bulldogs, the Mac or the Linux PC, because you are 100% correct, there is no virus protection that is 100% accurate.

As for anyone confused about the mystery of my comment, 99.9999999% of all known virus are written for a windows machine and can't infect a Mac or linux/unix operating system.


Posted by:

Ben
24 Jul 2012

Excellent article Bob. But surely it is only half the story? What happened to the friends computer?
Did she get it fixed? Surely there is a whole other blog right there!


Posted by:

Jim G
13 Aug 2012

Wow, when i first read this, I thought it had just happened, i am glad to see the date was last year. Anyway Sandboxie was mentioned a few times in the comments, and that is the program that I always use when visiting any new sites. I just wanted to comment on AVG, since I have had to fix several computers that were infected with AVG running ineffectively on these poor unfortunate boxes. After the last year, I have learned that AVG is no longer an effective antivirus, and now I recommend ESET, BitDefender, Bullguard, or Kaspersky. Check out the AV-Comparatives latest test results here: http://www.av-comparatives.org/images/docs/avc_prot_2012a_en.pdf

Bitdefender and Bullguard are Extremely Successful in preventing compromise, and I have always loved ESET, and along with Sandboxie, you can now keep infection to an absolute minimum. Of course, what happened to Bob can happen to anyone, so using Sandboxie is probably your best bet.


Posted by:

Brian
22 Nov 2012

I try to be careful, but I'm human and slipped.
I changed my IP. The "OLD" had great protection. No problems that couldn't be fixed with a little help from friends. The "NEW" had no packaged protection. I KNEW THAT! Who was going after me and my PC? I'm from the old school and when I see the lights blink and I didn't ask them to, I get worried. I tried to take this thing on and nearly lost. By this time I had established proper PC protection but whatever was in there had the upper hand. The closer I got (removing stuff) the more destructive "IT" got. "It" shut down Windows Essential + Windows Firewall and my other security without me knowing that it happened. It seems that a portal was opened an unrelated malware popped out. I eventually had to do a complete re-install.


Posted by:

Deborah
15 May 2013

How long and what does it take to become as knowledgeable about all the technical jargon on here?

Is there a condensed book I can read?

I'm currently in school for Computer Programming, Software Development; but, I'm mostly working on the core classes. I've recently finished Intro to Computers (Microsoft focused) and Intro to Database (also, Microsoft focused).

Thanks to some nasty trojans that got past daily updated and constantly running, Microsoft Security Essentials and a regularly updated operating system, I'm recently out about $100 (on a low, fixed income).

In addition, I have an older computer that is now without sound due to not being able to replace an old multimedia driver.

On top of that, I endured a lot of stress and aggravation which was not good for my heart condition.

All this happened a couple weeks before my ONLINE college classes were finished. It took about a week to get my computer mostly recovered on my own after I had to buy an operating system disc. I have a used computer that did not come with a disc.

Excuse me for venting; but...

I think it is an absolute shame and slap in the face of the Almighty for anyone with the intelligence God gave them to use that intelligence for such heinous activities such as creating mal-ware.

If these same people would focus their intelligence on doing good, they could eliminate a lot of suffering in the world.

Why not take on some of society's problems like preventing some of the over 27,000 people who succumb to death daily from hunger, dirty water and lack of medical treatment; or the multitude of people living on the streets; or kids going to bed or school hungry (even in the U.S.); or the thousands of unwanted pets put to sleep daily; or any of the other items on the long list of wrongs that need to be righted?

Wake up offenders! You will someday be held accountable whether you believe in God or not. Call it Karma or whatever. What you put out there will come back to you in one form or another. FYI, you might try reading the ten commandments. Included in there is a warning of how punishment for your sins can come back to you, your kids, your grand-kids or your great grand-kids.

And, don't even think about giving an excuse of how you were wronged somewhere in your life. How absolutely insane and sociopathic to take out your hurt and frustration on someone totally unrelated to your past problem. That makes you no better than your offender.

Turn it around. Use your God given gifts for good. You can be blessed for doing so and you can use your talents to raise money to fix some of society's ills.

Then again, maybe you aren't man or woman enough to do that. Maybe you are a sociopath. If so, I pray you get the help you need very soon.


Posted by:

lisa gambino
24 May 2013

Hi, This is a great article. Thank you for all of the information contained, I feel this is very helpful to techs and everyday surfers alike.

Thank you again,

Lisa G


Posted by:

Old Nana
20 Jun 2013

You constantly amaze me. I'd like to give you a virtual "Nana" hug for helping this person to such a degree with her problem and thank you for all the invaluable help you have given to so many of us.


Posted by:

Pablo Cassels
21 Nov 2013

I wonder if you would have been safer if you were web surfing in Linux. I'm sure no O/S is perfectly safe, but aren't the majority of malware Windows compatible only?


Posted by:

RG Schmidt
16 Feb 2014

I'm really confused about backups. I have an HP Portable USB 3.0 drive which is always plugged in to my tower, and Norton Ghost writes to it on an ongoing basis. Would you consider my computer backed up? What prevents the virus from getting onto the external drive via Ghost?


Posted by:

HN
29 May 2014

Bob - I noted in this article that MBAM was stopped from running after a few minutes. I've had success with removing malware from friends' computers by using MBAM's "Chameleon" feature. This allows MBAM to run by disguising itself so the program keeping it from running doesn't recognize it. The worst example I was able to clean up had a little more than 250 items of malware clogging up the works.


Posted by:

steven
12 Sep 2014

I can't believe that you are still using XP, Could theses be signs that the hard drive need replacing. Windows Defender won't run on XP. Sounds like the Google redirect virus.
http://askbobrankin.com/defeat_the_google_redirect_virus.html


Posted by:

James Ford
23 Jan 2016

I would use a VM or my iPad to investigate these type of issues.


Posted by:

steven
08 Jul 2016

Why didn't you use a scrap machine. Or virtual PC


Posted by:

Brian Clare
11 Feb 2017

I have used Macrium solution for some years. As a Windows 10 'Insider' a reliable 'backup / image' is a necessity, not an option. In fact,the same applies to any user. Recently a build of insider crashed on my Toshiba laptop, No restore point worked, Windows image failed & unable to go back to an earlier build No Windows recovery options were successful. Answer Macrium image restore. Has not failed me so far.Always have a Macrium backup /image on my other two 'Live' working systems. In addition I run "File History" on all 3 systems regularly.


There's more reader feedback... See all 46 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- How I Got Hacked... And Why You MUST Have a Backup! (Posted: 17 Aug 2011)
Source: http://askbobrankin.com/how_i_got_hacked_and_why_you_must_have_a_backup.html
Copyright © 2005 - Bob Rankin - All Rights Reserved