When customers ask "How did I get this virus?" ... how to answer?

[happycomputers]

I do mostly residential and small business IT consulting/service/repair. Of course, virus removal is a big part of my job. A question always comes up after an in-home or in-office virus removal. "Ok, how did I get this problem in the first place, so that I can avoid it happening again." I explain how deceiving advertisements/messages can trick them into installing malware, how/whytheir friends would unknowingly email links to them that are harmful, and how important it is to keep various software up to date (reader, windows, flash, java, antivirus). But that STILL doesn't answer the question, HOW they got it...that seems to be what everyone cares about first--to explain preventing it is kind of dodging the question...

So in a typical virus removal, everything generates reports: Combofix, HJT, and MBAM reports can be looked at, but nothing but rough timestamps can be ascertained from these reports, and those can be misleading.

So how do all of you actually answer the question "How did I get this virus?"

Thanks in advance

 

[Xander]

While not absolutely conclusive, a good place to start:

http://www.nirsoft.net/web_browser_tools.html

 

[gunslinger]

Honestly these days I tell them about 80-90% of the time I'd bet on it being porn , music downloading or Facebook. EVERYONE does one of these or all.

 

[codegreen]

I explain it to my clients this way

Determining exactly how and where they picked up this particular virus would be a time-consuming (and therefore expensive) task of combing through system logs, browsing and histories, and the like. And then, even if I could find exactly how they got infected, it doesn't provide much useful information on how to avoid it in the future. I then outline the typical risk factors (downloading illegal software and the like, adult websites, random Facebook apps) and how to mitigate them.

Also, I check to see if their anti-virus/anti-malware protection is adequate. If not, I suggest they buy my recommended solutions, being careful to emphasize that no anti-virus is 100% perfect.

 

[pcpickup]

I spend a lot of time not just explaining the sources of the viruses (which seem to be more frequent on facebook and music sharing sites then XXX sites) but getting them to understand that this is a business for the virus writers and where there's money there are talented people making that money writing viruses.

Couple this with Microsoft's monopoly making them slow and not very motivated to quickly fix security holes in both Windows OS and Internet Explorer and the fact that consumers and small business ignore updates.

I am putting together some infographics and other info that I will post to my web site to help explain this to people and make them more aware. The antivirus software is not that great, paid or free none are %100 effective.

I always remind them to be careful where they click is the safests bet. If they see an add on a web site that says your computer is infected or free scan, SURF THE OTHER WAY..LOL

 

[mraikes]

Determining exactly how and where they picked up this particular virus would be a time-consuming (and therefore expensive) task of combing through system logs, browsing and histories, and the like. And then, even if I could find exactly how they got infected, it doesn't provide much useful information on how to avoid it in the future. I then outline the typical risk factors (downloading illegal software and the like, adult websites, random Facebook apps) and how to mitigate them.

Also, I check to see if their anti-virus/anti-malware protection is adequate. If not, I suggest they buy my recommended solutions, being careful to emphasize that no anti-virus is 100% perfect.

For first-time virus removal customers I don't bother doing any investigative work unless they specifically request it. But for repeat customers, I'll take some time to review the logs.

Usually the likely source can be identified without too much trouble. And it rarely turns out to be adult sites or email attachments, etc. They nearly always come from innocent but compromised mainstream websites and/or advertising. If not from those, then from file sharing.

And you're right - knowing how/where they got infected really makes no difference. You can't tell people to stay off MSN or Facebook. And big sites like those figure out quickly that there's a problem and clean themselves up. Until they get infected again.

 

[Xander]

Usually the likely source can be identified without too much trouble. And it rarely turns out to be adult sites or email attachments, etc. They nearly always come from innocent but compromised mainstream websites and/or advertising. If not from those, then from file sharing.

The last one I bothered to look up came from a GIS on "Medieval bridal dresses". The very next site after that was a fake AV site. Very innocent surfing.

(Using IEHV on the like provided above)

 

[RitechSystems]

A lot of times they'll tell me what happened, they opened such a such an email or fell for a pop up and installed something, but if they do ask, I tell them it's difficult to tell exactly where it came from and that it is important to be careful what emails they open and links they click. That is usually sufficient, especially when it happened late at night and the other spouse was sleeping

 

[gunslinger]

You can't tell people to stay off MSN or Facebook.

Actually I do tell people to stay off Facebook. It wont do any good but I feel better about it....lol

 

[XFalloutX]

Yea I always get "All I do is get on Facebook"
I dunno how many times I've heard someone say that.

 

[Countryside]

Believe it or not I still have repeat customers that keep coming back with viruses and malware that ALSO keep putting (or allowing) Limewire on the PC. Limewire, web-games, add-ons, tool bars galore. They don't listen to me, and just keep bringn 'em back. Fine with me. $$$

 

[crabig]

The majority of mine seem to be rogueware. I had one client, the only website he ever went to was cbssports.com to play fantasy football (verified by checking history logs). Since then, I tell my clients that legit websites can and do get hacked. Even though a large site finds and fixes the problem quickly, usually within 8 - 10 hours, a million people can get hit in that time.

I also do the routine about having them make sure their anti-virus is up to date, and caution them that no anti-virus/anti-malware product is 100%

 

[seedubya]

And it rarely turns out to be adult sites or email attachments, etc. They nearly always come from innocent but compromised mainstream websites and/or advertising.

Up until Christmas just gone I took little notice of where customers acquired their infections. Then, around the 21/12 I had an elderly NUN come in with a virus. She was adamant that she only used the computer for email and ordering books and supplies. "Yeah right" sez I, but I was well wrong. ( I had visions of her downloading pirated copies of Songs of Praise ) She had gotten infected from a compromised banner ad on the website of a religious bookseller here in Ireland (Veritas in Dublin for the Irish guys). Not only could I see it, the banner was still up 4 days after her initial infection and I could infect a VM from it with no problem. Whatever ad network their developer was using had been compromised. AFAIK, it was the same network that was responsible for the Autotrader issue in the UK/Ireland a couple of weeks ago.

Lesson - drop your assumptions.

Tracing the infection was really easy, BTW. I just got the earliest timestamp from an infected file, matched that to her browsing history (IE History Viewer - thanks Nirsoft) and then using a VM went to the URL in question (a fake browser warning/redirector) and tracked back through her history from there.

 

[xzbackup]

I usually tell the customer the following ;

Virus' come from people who have the intention of the likes of teenagers breaking windows or spraying graffiti, or in some cases, financial gains. You can collect them from a number of places including Email chain letter attachments, social networking, but most of all, careless web browsing and clicking.

Since it is so hard to 100% tell the customer where the virus came from, you have to present them with a "cover all the bases" approach that way they are a little more informed on what to watch out for in the future.

 

[gunslinger]

Lesson - drop your assumptions.

Meh, I still say about 90% of malware comes from Limewire, Porn and Facebook.

 

[Cybjun]

I usually say something to the effect of "Todays malware doesn't need you to do anything except being connected to the internet..." I also let them know that facebook and file sharing services are very risky same wih not updating window and other software like java, flash, quicktime and what-not

That usually satisfies the question and also opens a chances to sell anti-virus and anti-mal-ware software

 

[xzbackup]

Meh, I still say about 90% of malware comes from Limewire, Porn and Facebook.

That is the truth that people refuse to believe lol...

 

[wtigger]

What I do for most folks (if they don't already have it) is install Firefox with the Adblock Plus plugin. And I tell them how to use it.. If the ads are blocked, they can't be clicked on Cuts off one source of infection...