Here’s my story of what happened when I intentionally infected myself with malware. I did this because I wanted to see if the default controls on my system were sufficient in protecting me from a recent threat. I think this goes without saying, but do not attempt to do what I’m about to do on your computer.
I purposely didn’t install any antivirus programs and disabled every security restraint I encountered. I setup a plain-vanilla Windows 8.1 machine and attempted to download and execute a malicious file.
Over the next few paragraphs you’ll see how that didn’t quite go the way I planned…
Let me back up for a second and give you some context.
Back in May, Erik Kay, Engineering Director for the Google Chrome project, announced that “extensions can be installed only if they’re hosted on the Chrome Web Store”.
Prior to that announcement, querulous customers pointed out that many extensions were surreptitiously installing themselves without user consent. These extensions often debilitated the browser by besieging users with ads, altered homepages and glacial browsing experiences.
So Google started enforcing a new “store only” policy which meant if an unsavory extension attempted to install itself, it would get denied.
But being the inquisitive guy that I am, I wanted to test the claim. I wanted to verify that the claim was indeed: prima facie and not just a spurious rumor or something silly like that.
So I went on a hunt for some viruses, but ironically, I found it surprisingly difficult to infect myself.
Eventually I stumbled upon an interesting article about a new promiscuous threat that’s been adulterating the social media scene for a few days: something about Facebook Secrets.
“Ah ha!”, I mused to myself, “I’ve found my malware!”
According to Sylvia Lascano, Fraud Analyst for Trend Micro, there was a virulent slither of software sleeping around Twitter under the guise of Facebook Secrets.
When Lascano’s research team clicked the Facebook Secrets link, Chrome instantly downloaded a file called download-video.exe which, when executed, inserted a fake flash player extension in Chrome.
The specious extensions bears a close resemblance to valid Adobe Extensions; however, it’s a complete fraud and will wreck your browsing experience. This is one of the cardinal reasons why I suggest only downloading Adobe Flash extensions directly from adobe.com, there are simply too many duplicitous frauds in the wild to discern the good guys from the impostors.
Exploits like this are a sore reminder that it’s imperative that we pay attention to what we click. Unscrupulous hackers will continue to bait credulous users in attempt to steal private data.
In this case, download-video.exe circumvented Chrome security policy by creating a new directory to work out its dirty deeds. Fortunately the ramifications of this malware is seems relatively benign. To the best of my knowledge, the malware just redirects HTTP request destined to facebook.com or twitter.com to an ostensibly harmless Turkish website. But I guess the take away here is that the malware authors could easily have implemented something more odious. Just because they didn’t do something spectacular like wipe your hard drive doesn’t mean it’s impossible.
Getting sick on purpose
So let’s take a look at the link.
The malicious link was actually shared by a user with almost 400,000 followers and it had almost 1,000 re-tweets.
I don’t know who this Hammad Hasan guy but his tweets look pretty fishy…
I find new way of proliferating malware interesting because a credulous person might find the social proof convincing:
Wow, I want to learn about Facebook Secrets. I don’t know who this guy is but 400,000 people already follow him so he seems like an authority. And look, the link was retweeted almost 1,000 times. I don’t want to miss out on this one.
It’s the fallacy of the majority. You can clearly see that most people are jumping on board so you feel like you should jump on too.
But you would be making a grave error. In this case, you would be jumping on a sinking ship into shark infested waters…
When I clicked the link it opened another page in a new tab with the suspicious link simply titled download_video.exe.
This is obviously the first clue there’s a problem. You should never download a file ending in .exe from an untrusted source. In fact, I would go a step further to say you should never download it even from a trusted source! Malware can often infect valid users in your address book and then propagate by automatically sending itself to a list of trusted contacts.
Unless you’re a software developer and you know what you’re doing there’s absolutely no reason to download or a run a file with a .EXE extension.
So I know I probably shouldn’t click this but let’s see what happens…
Ah yes, Chrome blocked it! Good Chrome. My only choice is to click Dismiss which stymies the executable from wreaking havok on my computer.
Being persisted in getting infected
Now, at this point most people would stop and avoid the file but I wanted to see what would happen if I inexorably pressed forward.
I seriously don’t recommend doing this. That’s why I’m not going to share exactly how I intentionally infected myself but I do what to show you what could happen to you. I ran these tests in a controlled lab environment and had to find a workaround to force Chrome to let me run the malicious file.
Now it’s time to run it.
Double clicky time…
Now even though I didn’t install any antivirus programs on this test machine, Windows still protected me.
There’s a built in security function called SmartScreen that automatically blocks suspicious software such as applications known to be pernicious or applications with unknown publishers.
This was a welcome surprise and gave me more confidence in default security settings in Windows. Windows certainly has its foibles but at least it’s someone cumbersome to purposely infect yourself.
So let’s continue. I clicked Run anyway and then waited for my PC to explode.
But it never exploded.
In fact, after about 2 minutes Windows Defender suddenly leaped onto the screen valiantly guarding me from this particular malware threat. I was actually pleasantly surprised to see it was silently running the background the entire time. I never explicitly enabled Windows Defender but it looks like it’s enabled out of the box. Smart move Microsoft.
Incidentally, I realize Windows Defender isn’t that great, but it’s better than nothing and today it proved itself as a descent defender of a mild threat.
After deliberately disabling Windows Defender I attempted to run the malware again.
That’s when I was greeted with the following request:
An app on your PC needs the following Windows feature:
.NET Framework 3.5 (includes .NET 2.0 and 3.0)
Alright, let’s see how deep this rabbit hole goes…
I was tempted to cancel but I continued and eventually was prompted to reboot.
After rebooting, logging in and firing up Chrome and decided to use my computer for a few minutes to note any anomalies.
Everything seemed fine.
- So I poked around the file extensions setting in Chrome…
- Explored the extensions folder…
- And went to a few websites…
But everything still seemed good.
So what’s my point? Just because your computer isn’t manifesting the usually signs of infection doesn’t mean it isn’t infected.
The Bottom Line
We often don’t realize that some species of malware can be dormant for days while others are more overt and will cripple your computer immediately. The real issue is that we need to always be cognizant of the links we click. Furthermore, we need to be vigilent in our fight against malware by installing antivirus software and making sure it’s updated with the latest versions.
To Google’s credit it did block the malware from being run and to Microsoft’s credit it blocked the executable from being run. Even when I forced it to run, Microsoft prudently scanned it and stopped the threat in its tracks.
This is known as defense in depth because there are multiple layers of protection in place.
Chrome is the outer crunchy shell. Then you have the Windows SmartScreen filter layer inside that. And finally, the warm chewy center where Windows defender lives. After breaching that layer you can get to the malware but there’s still three layers you need to cut through before you can get infected.
Now, this doesn’t apply to all species of malware but in my case study with download_video.exe, the default layers erected by Chrome and Windows were effective in thwarting an infection. I really had to exert myself to make my computer sick.
Thankfully, Twitter eventually banned some of these malware links that were infecting users but it’s still up to us to make sure we stay safe online.
So what do you think about my little test? Please share you thoughts in the comments below!