Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Ethereum mailing list breach exposes 35,000 to crypto draining attack

Featured Deal: Upgrade your iPad with an Apple Magic Keyboard Folio for under $90

Latest Buyer's Guide:    Best web browsers with built in VPN: Boost online privacy

Generic User Avatar

How Malware Spreads - How your system gets infected

Started by quietman7 , Jan 17 2010 10:45 AM

  • This topic is locked This topic is locked
No replies to this topic

#1 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 62,063 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:12 AM

Posted 17 January 2010 - 10:45 AM

Hackers and malware developers use a variety of methods, sophisticated techniques and attack vectors to spread their malicious programs. They rely heavily on social engineering and scams in an attempt to trick unsuspecting users and infect computers. Cyber-criminals succeed because they take advantage of human weaknesses to exploit the weakest link in the security chain.

Malware developers and attackers have been known to use spam emails, exploits, exploit kits, web exploits, malspam, malvertising campaigns, cryptojacking malware campaigns, fileless malware, non-malware attack, drive-by downloadssocial engineering, downloading software cracks, activators for Windows & Office, targeting managed service providers (MSPs), exploiting remote monitoring and management (RMM) software and RDP bruteforce attacks.

In some cases, criminals may use legitimate software such as Process Hacker to help facilitate the spread of malware. Process Hacker is a program used for viewing, managing, and manipulating processes and their threads/modules. However, it is one of several tools which can be used (misused) by hackers and malware developers during the compromise of a computer system/network in order to spread various types of malware and ransomware.

Hackers and malware writers come from different age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Most malware writers and cyber-criminals today treat it as a business venture for financial gain while "script kiddies" typically do it for the thrill and boosting a reputation as being a hacker among their peers. Below are a few articles which attempt to explain who these individuals are and why they do what they do.

Keep in mind that the severity of infection will vary from system to system, some causing more damage than others especially when dealing with rootkits. The longer malware remains on a computer, the more opportunity it has to download additional malicious files and/or install malicious extensions for Internet browsers which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes.
 
:step1: Rogue security programs are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. They typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System. It is not uncommon for malware writers to use the names of well known security tools and legitimate anti-virus programs as part of the name for bogus and fake software in order to trick people into using them. There were at least two rogues that used part of or all of the Malwarebytes name including this Fake and Bundled Malwarebytes Anti-Malware 2.0. There also were rogues for SmitfraudFixTool, VundoFixTool, Spybot Search and Destroy, Avira AntiVir and many more. Even Microsoft has been targeted by attackers using such names as MS Anti-virus and Windows Defender in naming schemes for rogue applications.

Rogue antispyware programs are responsible for launching unwanted pop ups, browser redirects and downloading other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkits which compromise the computer and make the infection more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:

 

:step2:  Ransomware is a sophisticated form of extortion in which the attacker either locks the computer to prevent access and demands money (ransom) to unlock it or encrypts a personal information (data files) and then demands money in exchange for a decryption key that can be used to retrieve the encrypted files. In most cases the greatest challenge to recovering the encrypted data has been the process of breaking the code of how the data is scrambled so it can be deciphered. Some forms of Ransomware act like rogue security software, generating bogus infection alerts and warnings to scare their victims. Older versions of ransomware typically claim the victim has done something illegal with their computer and that they are being fined by a police or government agency for the violation.
 

The most common kinds of ransomware include:

  • File encrypting ransomware which incorporates advanced encryption algorithms that is designed to encrypt data files and demand a ransom payment from the victim in order to decrypt their data. The first file encrypting ransomware variants used a symmetric-key algorithm but malware developers eventually upgraded to public-keys before moving on to use a combination of symmetric and public.
  • Locker ransomware which locks the victim out of the operating system so they cannot access their computer or it's contents to include all files, personal data, photos, etc. Although the files are not actually encrypted, the cyber-criminals still demand a ransom to unlock the computer.
  • Master Boot Record ransomware is a variation of Locker ransomware which denies access to the full system by attacking low-level structures on the disk essentially stopping the computer's boot process and displaying a ransom demand. Some variants will actually encrypt portions of the hard drive itself.

As noted above, crypto malware (file encryptor ransomware) uses some form of encryption algorithms that prevents users from recovering files unless they pay a ransom or have backups of their data. Once the encryption of the data is complete, decryption is usually not feasible without contacting and paying the developer for a solution. Crypto malware typically encrypts any data file that the victim has access to since it generally runs in the context of the user that invokes the executable and does not need administrative rights. It typically will scan and encrypt whatever data files it finds on computers connected in the same network with a drive letter including removable drives, network shares, and even DropBox mappings...if there is a drive letter on your computer it will be scanned for data files and encrypt them. US-CERT Alert (TA13-309A) has previously advised that many ransomware families have the ability to find and encrypt files located within network drives, shared (mapped network paths), USB drives, external hard drives (if connected) and even some cloud storage drives if they have a drive letter. Some ransomware will scan all of the drive letters that match certain file extensions and when it finds a match, it encrypts them. Other ransomware will use a white list of excluded folders and extensions that it will not encrypt. By using a white list, the ransomware will encrypt almost all non-system and non-executable related files that it finds.

The first known ransomware attack was the AIDS Trojan spread via floppy disks in 1989. Although Crypto malware has been around for many years, the original CryptoLocker which appeared in the beginning of September 2013 gave it widespread media attention because it demonstrated how these infections could generate a large amount of revenue for their creators. Crypto malware ransomware typically propagates itself as a Trojan, although  Zcrypt was a self-replicating virus Hybrid distributed via malicious email attachments, then spread through removable USB drives and WannaCry was a worm distributed via an email malspam campaign that spread by exploiting vulnerabilities in the Windows operating system. Numerous variants of encrypting ransomware have been reported between 2013 and 2016.

Ransomware spreads via a variety of attack vectors to include social engineering (trickery) and user interaction...opening a malicious email attachment (usually from spam or an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site and scams. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Social engineering has become on of the most prolific tactics for distribution of all types of malware, identity theft and fraud.

 

Attackers will use Shortened malicious URLs to mask a malicious link, obfuscating a malicious destination and malicious code (script) injection (i.e. JScript, JavaScript (.js) file). Another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Some victims have encountered crypto malware from ransomware malware executables, packaged NW.js application using JavaScript, spam containing attachments with zipped .js files or following a previous infection from one of several botnets such as Zbot (frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to include ransomware variants.

Threat Bulletin: Ransomware 2020 - State of Play

During the latter half of 2019 and early 2020, the BlackBerry Research and Intelligence Team observed cyber-criminal gangs utilizing advanced tactics to infiltrate and ultimately extort money from victims using several prominent ransomware families (E.G.: Ryuk, Sodinokbi1 and Zeppelin2), with a distinct shift from widespread, indiscriminate distribution to highly targeted campaigns often deployed via compromised Managed Security Service Providers (MSSPs).

Crypto malware can also be delivered via malspam, malvertising campaigns, cryptojacking malware campaigns, downloading software cracks, pirated softwareadware bundlesfake Windows updatefake Microsoft Teams updates, fake/illegal activators for Windows & Office, targeting managed service providers (MSPs), exploiting Remote Monitoring and Management (RMM) Software (or any remote assistance), fileless malware, non-malware attack, posing as a folder on removable drives, exploits, exploit kits and drive-by downloads when visiting compromised web sites...see US-CERT Alert (TA14-295A). An Exploit Kit is a malicious tool with pre-written code used by cyber criminals to exploit vulnerabilities (security holes) in outdated or insecure software applications and then execute malicious code. Currently the Angler, RIG, Magnitude, Neutrino, and Nuclear exploit kits are the most popular.

Another scenario involves hackers utilizing Remote Desktop Protocol (RDP), a very common brute force attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside. Attackers will use remote port scanning tools to scan enterprise computer systems, searching for RDP-enabled endpoints commonly used to login from outside the workplace. When the attacker finds a vulnerable RDP-enabled endpoint they use a barrage of login attempts by guessing or brute force attacking the password. Attackers can also use phishing of a company employee to gain access and control of their machine, then use that access to brute-force RDP access from inside the network.

 

Once the attacker gains administrative access remotely to a target computer they can create new user accounts or use a user not logged in to do just about anything. The attacker can use remote access tools to introduce and execute crypto malware, generate the encryption keys, encrypt data files and upload files back to the them via the terminal services client. The attacker can steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here by Lawrence Abrams, site owner of Bleeping Computer.

 
Kaspersky labs reports brute force attacks against RDP servers are on the rise.

In addition to searching for devices with exposed RDP or weak passwords that can be exploited by brute-force attacks, criminals are also using that access to routinely locate and destroy backups so they can demand higher ransom payments.

 

IT admins and other folks should close RDP if they don't use it. If they must use RDP, the best way to secure it is to only allow RDP from local traffic, whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, setup a VPN to the firewal, use an RDP gateway, change the default RDP port (TCP 3389) and enforce strong password policies, especially on any admin accounts or those with RDP privileges. You may even want to consider using a host-based intrusion prevention system (HIPS) like RdpGuard for Windows Server to protect from brute-force attacks.

 

Another common method to spread ransomware is by using pirated software, fake/illegal activators for Windows & Office and other cracked software. These programs are not only considered illegal activity in many countries but they are a serious security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections including encryption of all your most valuable data, in many cases beyond recovery.

RaaS (Ransomware as a Service) is a ransomware hosted on the TOR network that allows "affiliates" to generate a ransomware and distribute it any way they want. The RaaS developer will collect and validate payments, issue decrypters, and send ransom payments to the affiliate, keeping 20% of the collected ransoms.

 

There also have been reported cases where crypto malware has spread via YouTube ads and on social media, a popular venue where cyber-criminals can facilitate the spread of all sorts of malicious infections.

Note: For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities exploiting security vulnerabilities and software are common attack vectors.

Up close and personal with Linux malware

Compared to Windows malware, Linux malware tends to be less obfuscated and easier to analyze. Obfuscation is often added to evade detection by security products. Since there are often no security products to bypass, the bar is lower and attackers skip this unnecessary step.

Most security experts will advise against paying the ransom demands of the malware writers. I explain why (Post #14) in this topic. There are also suggestion for the best defensive strategy to protect yourself from malware and ransomware (crypto malware) infection.

 
 
:step3: Infections spread by malware writers and attackers exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows Media Player and the Windows operating system itself. Software applications are a favored target of malware writers who continue to exploit coding and design vulnerabilities with increasing aggressiveness.

Another PDF sample that exploits an unpatched vulnerability in Adobe Reader and Acrobat has been spotted in the wild...

Unpatched Adobe Vulnerability Is Still Being Exploited in the Wild

...your machine may still be vulnerable to attacks if you never bother to uninstall or remove older versions of the software...a malicious site could simply render Java content under older, vulnerable versions of Sun's software if the user has not removed them....

Hole in Patch Process
Ghosts of Java Haunt Users
BlackHole toolkit enables attackers to exploit security holes in order to install malicious software

If a website has been hacked or displays malicious ads, they can exploit the vulnerable software on your computer.

The majority of computers get infected from visiting a specially crafted webpage that exploits one or multiple software vulnerabilities. It could be by clicking a link within an email or simply browsing the net, and it happens silently without any user interaction whatsoever.

Web Exploits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications...for the purpose of spreading malware. These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers.

Tools of the Trade: Exploit Kits

To help prevent this, install and use Secunia Personal Software Inspector (PSI), a FREE security tool designed to detect vulnerable and out-dated programs/plug-ins which expose your computer to malware infection.

 
:step4: A large number of infections are contracted and spread by visiting gaming sites, porn sites, using pirated software (warez), cracking tools, hacking tools and keygens where visitors may encounter drive-by downloads through exploitation of a web browser or an operating system vulnerability. Security researchers looking at World of Warcraft and other online games have found vulnerabilities that exploit the system using online bots and rootkit-like techniques to evade detection in order to collect gamer's authentication information so they can steal their accounts. Djvu (STOP) Ransomware has been found to spread by downloading software cracks and adware bundles.

Dangers of Gaming Sites:

The design of online game architecture creates an open door for hackers...hackers and malware hoodlums go where the pickings are easy -- where the crowds gather. Thus, Internet security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

MMO Security: Are Players Getting Played?

Dangers of Cracking & Keygen Sites:

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

Dangers of Warez Sites:

...warez/piracy sites ranked the highest in downloading spyware...just opening the web page usually sets off an exploit, never mind actually downloading anything. And by the time the malware is finished downloading, often the machine is trashed and rendered useless.

University of Washington spyware study

When you use these kind of programs, be forewarned that some of the most aggressive types of malware infections can be contracted and spread by visiting/using crack, keygen, warez and  pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection which can result in the encryption of all your most valuable data, in many cases beyond recovery.

 

:step5: Infections spread by using torrent, peer-to-peer (P2P) and file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some cases the computer could be turned into a botnet or zombie. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst, Norman ASA. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites.

Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware.

Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious Flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.

Keep in mind that even legitimate websites can display malicious ads and be a source of malware infection.

...Internet users are 21 times more likely to become infected by visiting a legitimate online shopping site than by visiting a site used for illegal file-sharing...The problem isn't in the sites themselves; it's in the ads...

Mainstream Websites More Likely to Harbor Malware

...According to Ciscos annual 2013 Security Report internet users are 182 times more likely to get malware from clicking on online ads than visiting a porn site...

Clicking Online Ads More Likely To Deliver Malware Than Surfing Porn Sites
Cisco Annual Security Report: Threats Step Out of the Shadows

 
:step6: Infection can also spread by visiting popular social sites and through emails containing links to websites that exploit security hole's in your web browser. When you click on an infected email link or spam, Internet Explorer launches a site that stealthy installs a Trojan so that it can run every time you startup Windows and download more malicious files. Email attachments ending with a .exe, .com, .bat, or .pif from unknown sources can be malicious and deliver dangerous Trojan downloaders, worms and viruses which can utilize your address book to perpetuate its spread to others.

At least one in 10 web pages are booby-trapped with malware...The tricks include hacking into a web server to plant malware, or planting it within third-party widgets or advertising...About eight out of every 10 Web browsers are vulnerable to attack by exploits...Even worse, about 30% of browser plug-ins are perpetually unpatched...

One in 10 web pages laced with malware
Bulk of browsers found to be at risk of attack

Researchers at the Global Security Advisor Research Blog have reported finding pornographic virus variants on Facebook. The Koobface Worm has been found to attack both Facebook and MySpace users. Virus Bulletin has reported MySpace attacked by worm, adware and phishing. Some MySpace user pages have been found carrying the dangerous Virut. Malware has been discovered on YouTube and it continues to have a problem with malware ads. MSN Messenger, AIM and other Instant Messaging programs are also prone to malware attacks.

 

:step7: Infections can spread when using a flash drive. In fact, one in every eight malware attacks occurs via a USB device. This type of infection usually involve malware that modifies/loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. Autorun.inf can be exploited to allow a malicious program to run automatically without the user knowing since it is a loading point for legitimate programs. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer. For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keeping autorun enabled on USB and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer.

To learn more about this risk, please read:

Many security experts recommend you disable Autorun as a method of prevention and to Maximize the Protection of your Removable Drives. Microsoft recommends doing the same.

Note: If using Windows 7, be aware that in order to help prevent malware from spreading, the Windows 7 engineering team made important changes and improvements to AutoPlay so that it will no longer support the AutoRun functionality for non-optical removable media.

 
:step8: Other types of infections spread by downloading malicious applets, Clickjacking or by visiting legitimate web sites that have been compromised through various hacking techniques (i.e. Cross-Site Scripting, Cross-Site Request Forgery) used to host and deliver malware via malicious code, automated SQL Injection (injecting HTML code that will load a JavaScript redirector) and exploitation of the browser/operating system vulnerabilities.

...More than 90 percent of these webpages belong to legitimate sites that have been compromised through hacking techniques such as SQL Injection...Hackers are apparently planting viruses into websites instead of attaching them to email. Users without proper security in place get infected by simply clicking on these webpages.

One webpage gets infected by virus every 5 seconds

 
:step9: Phishing is an Internet scam that uses spoofed email and fraudulent Web sites which appear to come from or masquerade as legitimate sources. The fake emails and web sites are designed to fool respondents into disclosing sensitive personal or financial data which can then be used by criminals for financial or identity theft. The email directs the user to visit a web site where they are asked to update personal information such as passwords, user names, and provide credit card, social security, and bank account numbers, that the legitimate organization already has. Spear Phishing is a highly targeted and coordinated phishing attack using spoofed email messages directed against employees or members within a certain company, government agency, organization, or group. These fraudulent emails and web sites, however, may also contain malicious code which can spread infection.

 Pharming is a technique used to redirect as many users as possible from the legitimate commercial websites they intended to visit and lead them to fraudulent ones. The bogus sites, to which victims are redirected without their knowledge, will likely look the same as a genuine site. However, when users enter their login name and password, the information is captured by criminals. Pharming involves Trojans, worms, or other technology that attack the browser and can spread infection. When users type in a legitimate URL address, they are redirected to the criminal's web site. Another way to accomplish these scam is to attack or "poison the DNS" (domain name system) rather than individual machines. In this case, everyone who enters a valid URL will instead automatically be taken to the scammer's site.
 
:step10: Tech Support Scamming through unsolicited phone calls, browser pop-ups and emails from "so-called Support Techs" advising "your computer is locked or infected with malware", “all your files are encrypted", "suspicious ransomware activity" and other fake messages has become an increasing common scam tactic over the past several years. The scams may involve phishing emails or web pages with screenshots of fake Microsoft (Windows) Support messages, fake reports of suspicious activity, fake warnings of malware found on your computer, fake ransomware and fake BSODs many of which include a phone number to call in order to fix the problem. If you call the phone number (or they called you), scammers will talk their victims into allowing them remote control access of the computer so they can install a Remote Access Trojan in order to steal passwords and other sensitive personal information which could then be used to access bank accounts or steal a person's identity.

Extortion (Sextortion) Scamming is a tactic involving phishing emails / email spoofing sent to unsuspecting victims where the criminals make various threats with demands for money in exchange to keep personal, salacious, derogatory information (photos, videos) or other sensitive  information they allegedly collected about you from being published or sent to family, friends, coworkers, social media contacts, etc. The scammers may claim they hacked your computer, know your password and have access to all social media accounts, email, chat history and contact lists. They may also claim to have had access to your webcam and have compromising photos or videos of you watching pornography on an adult web site or pleasuring yourself while watching porn. Scammers often indicate they were able to obtain these photos or videos by installing malware with a keylogger and using Remote Desktop Protocol (RDP) to remotely control your computer screen and webcam. In addition to visiting websites with adult content, the personal information collected or captured on video or photographs could relate to any number of accusations such as compromising sexual situations, inappropriate behavior with a child, infidelity, stealing from your employer, etc. There is an example of an Extortion/Sextortion Email noted in this news article.

 

The next part of the scam is a threat to expose (release) those videos, photos or other sensitive information via email and social media unless you pay them a certain amount of money usually in Bitcoin. The scammers typical claim they have access to your email accounts and all personal contacts and threaten to release what they have to your spouse, family, friends, law enforcement authorities or government related agencies which may be interested. Scammers may even claim they have stolen sensitive business records or financial data from your computer which they intend to release, publish or destroy unless you pay them. This is all a ruse intended to scare a victim into paying the extortion demands.

 

These are a few examples of Sextortion Scam reports and news articles.

For more information about how these scams work and resources to protect yourself, please read Beware of Phony Emails & Tech Support Scams.

Finally, backing up infected files, is a common source of reinfection if they are restored to your computer. Generally, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.

Now that you know How malware spreads, you may want to read Best Practices for Safe Computing - Prevention which includes tips to protect yourself against malware infection.


Edited by quietman7, 04 February 2024 - 04:58 PM.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 

Back to Anti-Virus, Anti-Malware, and Privacy Software


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Anti-Virus, Anti-Malware, and Privacy Software
  4. Privacy Policy
  5. Rules ·