How I Got Hacked... And Why You MUST Have a Backup!
Are You Vulnerable to Drive-By Malware?
Here's the executive summary: If your friend says "I think my website has a virus, and is redirecting to a russian p**n site" -- don't assume your anti-virus software and fully updated operating system will protect you when you go to have a look-see. I did, and it took me about 8 hours to clean up the damage. But there are some valuable lessons to be learned here, so I hope you'll read on.
I always knew there was a slight chance that I could get a virus, because of the "arms race" that exists between the Evil Hackers and the Good Guys who provide anti-virus software. A virus appears, the anti-virus folks add code to protect against it, and then the virus morphs -- sometimes automatically. It's a bit like weeds that become resistant to pesticides.
But I was convinced that all those "drive-by virus infection" scenarios only affected people who would click or download almost anything, those who failed to apply their Windows Update security patches, or those who ran expired anti-malware protection. It turns out I was wrong. There was a pretty nasty "drive-by" virus in one of the many popups that appeared after visiting the hacked website. My anti-virus program caught and quarantined one attack, but didn't fully protect me.
In the case of the hacked website I visited, there were some dormant WordPress installations on the same server that had unpatched vulnerabilities. Once the hackers got in there, they had access to everything on the server, and left their evil payload on the home page of my friend's website. I noticed the following after closing all the popups and restarting my browser:
- Google searches worked fine, but when I clicked on any of the hits presented by Google, it would redirect me to a Russian hacker site.
- It allowed me to download MBAM, but after it ran for a few minutes, the task was killed.
- It allowed me to run Windows Defender, but it also was killed off quickly, and would not restart.
Let's Get This Mess Cleaned Up...
I decided to run a "full scan" with AVG, and that ran for about 45 minutes. But it ended with a Blue Screen of Death and an abrupt shutdown. Afterwards, I could not reboot my machine. I figured that either the Master Boot Record or my hard drive partition was hosed. Time to get out the power tools...
The XP install disc would not complete booting, so I couldn't load the recovery tools and run FIXBOOT or FIXMBR. My Bart PE recovery disk told me I didn't have a C: drive. My Acronis rescue disk couldn't find the C: drive, either, and gave me the impression that my backup image was corrupted. I considered taking out the hard drive and popping it into my external USB drive kit, so I could inspect the drive while connected to another computer. But my computer has two drives in a RAID configuration, so I didn't think that would work.
This was looking like a total loss. My last hope was the Gateway Recovery Disk that came with the machine, which formatted my hard drive and reloaded the factory image. It was like being in 2006 again. (Yes, I've had my primary "work" computer that long.) This at least allowed me to download and run my Acronis backup software (once I dug two license keys out of my old Gmail messages) and retry my attempt at loading the backup image, which was only a day old.
Fortunately, that worked, so it's back to the future, and all is well. But the ordeal cost me eight hours of white knuckled anxiety. Here's what I learned and/or remembered as a result of this nightmarish ordeal, and how you can benefit:
- It really could happen to you. Even if you don't frequent the dark corners of the Internet, even if you're very careful where you click and what you download, you could get zapped by a virus that slips by your anti-malware defenses. And it could get ugly.
- No protection is 100 percent. If it happened to you, do you have a full-image backup? Preferably with incremental daily backups? It could save your bacon.
- Wear gloves. If you're going to visit a website that you suspect has been compromised, don't touch the wires without proper insulation. If I had fired up a virtual machine or a sandbox environment, the damage would have been contained and easily cleaned up with a few clicks.
Are you prepared for a total loss of your hard drive due to a virus, hardware failure or some other disaster? I encourage you to read my ebook Everything You Need to Know About BACKUPS, where you'll learn about backup strategies and how to get started on the road to protecting YOUR data.
Do you have something to say on this topic? Post your comment or question below...
This article was posted by Bob Rankin on 17 Aug 2011
|For Fun: Buy Bob a Snickers.|
Do I Really Need a Firewall?
The Top Twenty
Are You Addicted To Social Media?
There's more reader feedback... See all 51 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- How I Got Hacked... And Why You MUST Have a Backup! (Posted: 17 Aug 2011)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "How I Got Hacked... And Why You MUST Have a Backup!"(See all 51 comments for this article.)
18 Sep 2011
Thank you for this lesson about a typical drive-by infection-- currently one of the most damaging attacks possible, and increasingly prevalent. By now, most people have had first-hand contact with this type of virus, or know somebody who has.
As a computer support staffer, I can attest that everyone from physicians to PhDs has been hit, and they remain vulnerable even afterward. No matter how careful or professional the user, and no matter what real-time ("shield") protection is installed, this is malware written by professional criminals with world-class expertise, and very hard to defeat-- let alone prevent.
So, contrary to reader Alyssa (who keeps her pantaloons entirely too tight for her own good), there is little that can be done beyond running high-quality anti-malware real-time protection, and hope to avoid accidentally starting a malware installation.
Since this kind of malware is often made by professional coders for organized crime, it is sometimes called "extortionware". Typically, after extortionware comes on board, it displays a series of bogus messages claiming detection of infection. Next, the malware solicits a "repair" operation, and sends an endless stream of obtrusive reminders every minute. Eventually, all the messages take a toll of the user's composure, who may relent and click on a message panel in an attempt to remove the plague. Of course, that desperate measure does not work.
And now, the trap has been sprung. As the infected machine progressively loses its functions-- no anti-virus scans, no internet, and sometimes not even email-- the user is told the computer can be cleaned for a certain amount of money. The user is given no guarantees, but on offering the criminals a credit card number, the system may visibly improve. Unfortunately, from all field experience, the malware itself is not removed. Worse, the criminals have their objective, and quickly put the victim's credit card number on the black market.
Extortionware is always under rapid development to defeat commercial anti-malware protection, so users must make sure they use the very latest version of protection, and keep it updated daily.
For those users lucky enough to detect the symptoms of an infection-in-process, escape is sometimes possible. Extortionware is like a "booby trap"-- it needs a triggering action like a mouse click, the ENTER key or another key to install itself and do damage. Left alone, this type of malware can do nothing except display messages.
So, the remedy for malware can be simple-- when a message displays, ignore it and shut down the computer immediately. Above all, DO NOT CLICK on the message-- not even to close the message box, and no matter how authentic the message might seem.
Again, no damage can occur unless the user starts installation by clicking on the screen area and/or pressing a keyboard key to start installation of the malware payload to the hard drive.
To shutdown, go to START, click on TURN OFF COMPUTER, and wait for normal shutdown. If shutdown does not occur after about two minutes, press in and hold in the computer's POWER button until the computer turns off. After two minutes, simply restart the system normally, and the offending messages no longer should be visible.
Since extortionware is only a variant of this malware class, and new versions are constantly developed, behavior and results may vary.
01 Oct 2011
Great article Bob, although I just removed to adspy viruses from a customers computer that came from the Uniblue registry booster so you made want to reconsider them as a sponsor here.
I was just curious if you had a Mac or a linux/unix machine running Ubuntu or RedHat? That is how I would have visited your friends website.
Whenever I get a complaint about a suspected virus attack or suspicious problem complaints, I just use one of my two computer Bulldogs, the Mac or the Linux PC, because you are 100% correct, there is no virus protection that is 100% accurate.
As for anyone confused about the mystery of my comment, 99.9999999% of all known virus are written for a windows machine and can't infect a Mac or linux/unix operating system.
24 Jul 2012
Excellent article Bob. But surely it is only half the story? What happened to the friends computer?
Did she get it fixed? Surely there is a whole other blog right there!
13 Aug 2012
Wow, when i first read this, I thought it had just happened, i am glad to see the date was last year. Anyway Sandboxie was mentioned a few times in the comments, and that is the program that I always use when visiting any new sites. I just wanted to comment on AVG, since I have had to fix several computers that were infected with AVG running ineffectively on these poor unfortunate boxes. After the last year, I have learned that AVG is no longer an effective antivirus, and now I recommend ESET, BitDefender, Bullguard, or Kaspersky. Check out the AV-Comparatives latest test results here: http://www.av-comparatives.org/images/docs/avc_prot_2012a_en.pdf
Bitdefender and Bullguard are Extremely Successful in preventing compromise, and I have always loved ESET, and along with Sandboxie, you can now keep infection to an absolute minimum. Of course, what happened to Bob can happen to anyone, so using Sandboxie is probably your best bet.
22 Nov 2012
I try to be careful, but I'm human and slipped.
I changed my IP. The "OLD" had great protection. No problems that couldn't be fixed with a little help from friends. The "NEW" had no packaged protection. I KNEW THAT! Who was going after me and my PC? I'm from the old school and when I see the lights blink and I didn't ask them to, I get worried. I tried to take this thing on and nearly lost. By this time I had established proper PC protection but whatever was in there had the upper hand. The closer I got (removing stuff) the more destructive "IT" got. "It" shut down Windows Essential + Windows Firewall and my other security without me knowing that it happened. It seems that a portal was opened an unrelated malware popped out. I eventually had to do a complete re-install.
15 May 2013
How long and what does it take to become as knowledgeable about all the technical jargon on here?
Is there a condensed book I can read?
I'm currently in school for Computer Programming, Software Development; but, I'm mostly working on the core classes. I've recently finished Intro to Computers (Microsoft focused) and Intro to Database (also, Microsoft focused).
Thanks to some nasty trojans that got past daily updated and constantly running, Microsoft Security Essentials and a regularly updated operating system, I'm recently out about $100 (on a low, fixed income).
In addition, I have an older computer that is now without sound due to not being able to replace an old multimedia driver.
On top of that, I endured a lot of stress and aggravation which was not good for my heart condition.
All this happened a couple weeks before my ONLINE college classes were finished. It took about a week to get my computer mostly recovered on my own after I had to buy an operating system disc. I have a used computer that did not come with a disc.
Excuse me for venting; but...
I think it is an absolute shame and slap in the face of the Almighty for anyone with the intelligence God gave them to use that intelligence for such heinous activities such as creating mal-ware.
If these same people would focus their intelligence on doing good, they could eliminate a lot of suffering in the world.
Why not take on some of society's problems like preventing some of the over 27,000 people who succumb to death daily from hunger, dirty water and lack of medical treatment; or the multitude of people living on the streets; or kids going to bed or school hungry (even in the U.S.); or the thousands of unwanted pets put to sleep daily; or any of the other items on the long list of wrongs that need to be righted?
Wake up offenders! You will someday be held accountable whether you believe in God or not. Call it Karma or whatever. What you put out there will come back to you in one form or another. FYI, you might try reading the ten commandments. Included in there is a warning of how punishment for your sins can come back to you, your kids, your grand-kids or your great grand-kids.
And, don't even think about giving an excuse of how you were wronged somewhere in your life. How absolutely insane and sociopathic to take out your hurt and frustration on someone totally unrelated to your past problem. That makes you no better than your offender.
Turn it around. Use your God given gifts for good. You can be blessed for doing so and you can use your talents to raise money to fix some of society's ills.
Then again, maybe you aren't man or woman enough to do that. Maybe you are a sociopath. If so, I pray you get the help you need very soon.
24 May 2013
Hi, This is a great article. Thank you for all of the information contained, I feel this is very helpful to techs and everyday surfers alike.
Thank you again,
20 Jun 2013
You constantly amaze me. I'd like to give you a virtual "Nana" hug for helping this person to such a degree with her problem and thank you for all the invaluable help you have given to so many of us.
21 Nov 2013
I wonder if you would have been safer if you were web surfing in Linux. I'm sure no O/S is perfectly safe, but aren't the majority of malware Windows compatible only?
16 Feb 2014
I'm really confused about backups. I have an HP Portable USB 3.0 drive which is always plugged in to my tower, and Norton Ghost writes to it on an ongoing basis. Would you consider my computer backed up? What prevents the virus from getting onto the external drive via Ghost?
29 May 2014
Bob - I noted in this article that MBAM was stopped from running after a few minutes. I've had success with removing malware from friends' computers by using MBAM's "Chameleon" feature. This allows MBAM to run by disguising itself so the program keeping it from running doesn't recognize it. The worst example I was able to clean up had a little more than 250 items of malware clogging up the works.
12 Sep 2014
I can't believe that you are still using XP, Could theses be signs that the hard drive need replacing. Windows Defender won't run on XP. Sounds like the Google redirect virus.
23 Jan 2016
I would use a VM or my iPad to investigate these type of issues.
08 Jul 2016
Why didn't you use a scrap machine. Or virtual PC
11 Feb 2017
I have used Macrium solution for some years. As a Windows 10 'Insider' a reliable 'backup / image' is a necessity, not an option. In fact,the same applies to any user. Recently a build of insider crashed on my Toshiba laptop, No restore point worked, Windows image failed & unable to go back to an earlier build No Windows recovery options were successful. Answer Macrium image restore. Has not failed me so far.Always have a Macrium backup /image on my other two 'Live' working systems. In addition I run "File History" on all 3 systems regularly.
31 Jul 2018
HOW do you KNOW it was a Russian hacker site ? It could be a site in US, pretending to be Russian ! Or Ukraine , or anywhere on Earth !
11 Aug 2018
I have PC-Matic and it is wonderful for blocking virus' and has many other features.
I think if you had PC-Matic anit-virus software, this virus would have been blocked and not an executable.
Correct me if you feel this is untrue!
22 Jul 2019
RG Schmidt, your computer is not backed up. As another poster wrote you do not have a backup if your computer content is not on 3 different media (computer, 2 backups) of which 1 should be off-site.
Ideally there should also be a history of backup, i.e. a backup should not overwrite the already existing backup on the media.
23 Jul 2020
YOUTUBE HAS BECOME MALWARE & REFUSES MILLIONS OF PEOPLE FROM COMMENTING!
Ernest N. Wilcox Jr.
22 Apr 2022
A good backup regimen is very important for a LOT more than malware recovery. I have heard it said (and I agree) that the greatest danger to the computer is the user. Even the most experienced/cautious user does things at the keyboard out of habit (or thoughtlessly). We can easily skip a step when performing routine procedures, or inadvertently delete a file we need.
Aa an example of carelessness, a week or so ago, I was wiping clean about a half dozen USB drives using GParted from within a live session of System Rescue. After about two or three drives, I skipped the step where I switch from viewing my primary drive's partitions to viewing the USB drive's partitions and selected all of them for deletion. I executed the operation before I realized my mistake. Thanks to my backup regimen, it took me about an hour or less to fully recover. Without an up-to-date full backup image that I could use, it may have taken me a full day or perhaps two to fully recover, and even then, who knows whether I could have recovered everything I had lost.
I have been using (and building) PCs for most of my adult life. Prior to retiring, I had a small side business building/repairing PC's. My first PC ran with MS-DOS 3.1 (just to date me a bit), so I consider myself to be a veteran PC operator with a better than average understanding of computer use/management. If I can make such a disastrous mistake performing a routine procedure that I have performed more times than I can count over the years, anyone can.
I use the free edition of Macrium Reflect. I have it configured to generate a monthly full image and daily differential images of all the partitions on all drives attached to my desktop PC, except the one partition to which I have it write the image files. I keep two monthly full images and thirty differential images. This allows me to restore my system to the state it was in at the start of any of the past thirty days. It also allows me to recover any file(s) that have existed on my system within the past thirty days, or with the state they were in on any of the past thirty days. I also have OneDrive sync the files on my desktop PC, so I have a real-time backup stored offsite.
If you have your own personal PC, and you don't already have a backup regimen in place and working for you, I strongly suggest you do so. If you don't, you are gambling/betting that your PC will never contract malware, or that you will never make some disastrous mistake that could potentially destroy all that you have on your PC.