Saturday, September 27, 2014

Wipe or Repair

Over time some computers tend to slow down compared to how they worked when they were new; that even can lead to the computer “freezing p” and become totally unresponsive. There are many potential reasons for these effects. Here are a few examples:
  • During regular use temporary files do not get deleted when no longer needed.
  • Too many “background” programs accumulate and run unnecessarily.
  • Unscrupulous companies, programs and web sites literally trick the user into installing unnecessary and often outright pernicious programs, so called PuPs.
When this this gets too bad some people just buy a new computer but in most cases this is not necessary. Other people ask a computer repair shop or technician for help. And here is where it gets tricky for the end user who usually is not a computer geek.

Provided that the hardware of the computer in question is still working correctly these “repairs” can be done in two fundamentally different ways:
  1. The computer can be wiped or reset to factory-new state as it was originally delivered.
  2. Offending files and programs can be removed and eventual damage repaired.
Among computer repair technicians the question “repair or wipe” is one of the most controversially discussed topics of all. More often than not these discussions in online forums are based mostly on beliefs and habit than on facts.

My personal take at this question is this: It very rarely is in my client's best interest (or mine!) to wipe and reload the operating system. I know this in stark contrast to what businesses like Best Buy and others say and do but I write this for my average clients, home users that want their computer “to just work”.

A successful repair is, among others, defined by:
  • All viruses, malware, PuPs and so on have been completely removed.
  • The cleanup is actually accomplished in about 2 hours.
  • After the cleanup the computer runs reliably at normal speed.
  • For a reasonable period of time the computer remains free from malicious software - provided the user cooperates and avoids mistakes that are all too common.
Especially larger support organizations routinely apply the wipe-and-reload method. They usually claim one or more of the following reasons as their justification:
  • It’s the only way to be sure all infections are removed.
  • It’s the fastest way to resolve the problem.
  • This process also gets rid of other clutter.
IMHO much more to the point, this one-size-fits-all approach doesn’t require much skill, training or experience on part of the technician who is doing the work; thus the bigger organization saves money on training and wages for better qualified employees.

Most certainly the wipe-and-reload solution is not in the customer’s best interest; here are some of the reasons:
  • The rarely understands that their computer will look and feel very different after a reload.
  • The customer will have to manually reload drivers, reset the fonts he got used to and now “wants”, select colors, margins, standard folders and file associations; he/she may have to install printer(s) and apat other system settings that have been building up over time since the computer was new.
  • Some programs or data files will get destroyed or lost; if they are infrequently used that may show up only weeks or months after the “repair”.
  • The user will be without the computer for as long as the reload takes which could be several days.
  • Very sophisticated viruses may return after a reload unless very specific measures prevent such reinfection, for example after MBR and/or BIOS infection.
Here are some of the reasons why this approach is not in the technician's best interest, especially if I am the technician doing the cleanup:
  • If I “wipe and reload” then the client doesn’t need me, he/she can do it themselves or,
    worse yet, use the techie kid next-door to do it for the cost of a pizza.
  • Some programs, drivers, settings and user data will get lost.
  • The computer will not “look and feel the same” as it did before the repair.
  • The work involved will require much more time than I can honestly charge.
The only way to resolve issues caused by viruses or malware is to find and remove all such nasty programs, their activation methods and associated files and to repair eventual damage to the operating system.

A good cleanup must include improved preventive measures to avoid future success of another malware attack.

I am fully aware that this sometimes is next to impossible; modern malware almost always relies on social engineering tricks to get on a computer. In the end it depends on the user to always follow my Ten Commandments Of Safe Computing, now more than ever before.

Again opposed to common methods I prefer the on-site visit for a clean up job. Only on-site I can convey to the customer some training, show him/her the time proven tools and methodology I recommend to follow and get a feeling for how well they understand my appeals to use common sense.

There are situations when wipe-and-reload is appropriate, for example and IMHO if all these conditions are met:
  • You have a recent full-image backup of that computer.
  • There are only one or two user(s) set up on the infected computer .
  • There is no (or very little) locally-installed software on the infected computer.
These conditions are hardly ever met in a home environment. Only if these conditions are met I will consider a reload. In eleven years of “fixing” home computers I have had to reload the operating system only on two occasions.

I see no acceptable alternative to intelligently and methodically removing all malware infections and repairing any damage they may have caused. 

And I am well aware of the fact that on rare occasions malware may have done so much damage to the operating system that there may be no other way but to wipe and rebuild; but, as I said, luckily these cases are becoming more and more rare.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.

Monday, September 8, 2014

2014-09-08 WTKM Talking Points (September 8 2014)

Linksys and Cisco routers unsafe! Updating does NOT help.
Any other router: Turn WPS off (known since 2011)

Cloud Storage: Another example of lost access and no recourse.

For-Pay Windows maintenance tools worthless

Infectious” USB drives on the horizon. So far only drives with a certain type of controller but that might change.
But they don't tell us what brand controller is affected.

14 antivirus apps have security problems.
    After finding basic boo-boos in security software researcher says vendors just don't care.
Avira, BitDefender, ESET and Panda (
among others) in “hall of shame”.

The skinny: The more a security app does the bigger the attack surface
the more it slows down the computer.

Why do people create virus programs? MONEY!
CryptoWall alone cashed over six months more than $1.1 million

Did Home Depot get hacked? Whether yes or no,
currently do not use ANY card at any retail stores.

Firefox enhances security with new version 32. Upgrade!

Mac security programs: Only three of 18 very good, a few good. Fuhgetabout the rest.

As usual I welcome suggestions and comments right here in the blog. 
Click here for a categorized Table Of Contents.

Monday, September 1, 2014

Details on CryptoWall

This article assumes that you are familiar with my previous article CryptoLocker - Revisited.

Detailed information was released about CryptoWall, one of the CryptoLocker variants.

Between mid-March and late August CryptoWall infected almost 625,000 systems; on these systems it encrypted more than 5.25 billion files.

The US seems to have the most CryptoWall infections: 253,521 (or about 40 percent), followed by Vietnam with 66,590 infections, the U.K. with 40,258, Canada with 32,579 and India with 22,582.

The US likely got targeted more often because CryptoWall's got distributed through spam emails sent from the Cutwail botnet which targets English language computer users.

Researchers collected data directly from CryptoWall's  payment server such as the exact number of paying victims and the amount of payments. Of nearly 625,000 infections and over about six months 1,683 victims (0.27%) paid the ransom for a total of $1,101,900.

CryptoWall seems to have  a home-made problem by accepting payment of ransom by Bitcoin only. Many average computer users will have problems paying with Bitcoin and reseachers assume that this is part of the reason that only 0.27% of CryptoWall's victims paid compared to 1.3% of CryptoLocker victims; CryptoLocker allowed payment by MoneyPak as well.

As sad as it is, these numbers clearly show that cyber crime pays.

As usual I welcome suggestions and comments right here in the blog.

Click here for a categorized Table Of Contents.