America’s first geek, Benjamin Franklin, offered this piece of advice way back in the 18th century: “an ounce of prevention is worth a pound of cure.” It’s sage wisdom in the wake of the House Republicans’ website being taken down recently by a potentially dangerous computer virus.
Based on information from security researchers and also taking into consideration one victim’s description of the malware that twice infected a computer, the House Republicans’ website virus likely contained a TDSS rootkit that infects Windows machines. TDSS rookits are one of the most potent Windows viruses known on the web, as they can often go undetected by virus scanning software.
Hackers deploy automated scripts that scour the web for out-of-date WordPress installations. When one is found, the script is able to “inject” malicious code that seeks to exploit vulnerabilities on web browsers that have not been updated. Once the web browser is compromised, the TDSS rootkit will install itself on versions of Windows that are not up to date. All of this happens in seconds without the user even being aware that it’s happening.
The latest variant of TDSS is particularly frightening as it installs itself into the machine’s “master boot record” and is loaded into memory even before Windows starts up. This allows it to run largely undetected, as it intermediates most of the communication between the Windows operating system and the hardware.
Once installed, TDSS “phones home” using strong encryption to let its owners know that it has been successfully installed and awaits instructions. The hackers gain control over the infected machine and are able to control it remotely. Typical activities include initiating denial of service attacks on other websites or redirecting people to fake bank account pages to steal personal information.
Removing a TDSS rootkit is particularly difficult. Even the most up-to-date virus software won’t detect it, so a specialized scanner often is needed. The security firm Kaspersky offers a free removal utility that can detect and remove most variants. If that fails, the only option is to completely wipe clean the computer’s hard drive and to start over.
Getting infected is usually avoidable, but it requires installing security updates as soon as they are made available. The vulnerable version of WordPress dates back to July of 2011, and two updates have been provided since — the most recent was released in January. Site owners just need to click “update” and WordPress will automatically patch the vulnerabilities (provided it hasn’t already been infected).
Home computer users also need to be sure they are keeping their systems updated. And it’s not just those automated Windows updates — web browsers and plugins also need to be updated. This most recent vulnerability utilized Java, but others have taken advantage of holes in the Adobe Flash or PDF plugins. The best way to ensure the most recent version is installed is to visit Adobe’s website and download them directly. Windows users can download Java at Oracle’s site (Mac users get the update automatically). Firefox and Google Chrome generally update automatically but require quitting and reopening to have the updates take effect.
Windows users also should make sure up-to-date virus scanning software is installed on their machines. If price is an issue, Microsoft offers a free product called Security Essentials that is as good as other commercial packages.
While this particular virus impacted Windows computers (as most do), Mac users shouldn’t let their guard down. Up until a December security update from Apple, Macs were vulnerable to attacks as well. They were spared this time as the payload being delivered this time was a Windows virus.
An ounce of prevention can go a long way. When your computer tells you it’s time to update, do it immediately.