Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    New ErrTraffic service enables ClickFix attacks via fake browser glitches

Featured Deal: This PDF editor alternative is only $40 for a lifetime subscription

Latest Buyer's Guide:     Best VPNs in 2025

Generic User Avatar

How Malware & Ransomware Spreads

Started by quietman7 , Jan 17 2010 10:45 AM

  • This topic is locked This topic is locked
No replies to this topic

#1 quietman7

quietman7

    Bleepin' Gumshoe


  • Avatar image
  • Global Moderator
  • 65,330 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:07 PM

Posted 17 January 2010 - 10:45 AM

How Malware & Ransomware Spreads - How your system gets infected

 

In this topic I will discuss the most common methods criminals use to target victims...home users, government agencies and business organizations. I take advantage of using hyperlinks whenever possible as it allows me to keep what I have written more concise since the hyperlink in most cases provides much more detailed information. The hyperlinks also serve as source materials since the information they contain is written by other experts in the field of security.

 

A brief note before proceeding...What is Malware? The term "malware" itself has become a general catch all category (umbrella term) which encompasses many different types of malicious programs. Since there is no universal naming standard you will get a wide array of answers for the definition. Why is this? Each security vendor uses their own naming conventions to identify various types of ransomware / malware detections so it's sometimes difficult to determine exactly what has been detected or the nature of the threat/infection. Some vendors also add a modifier or additional information after the name that further describes what type of malware it is...all of which can be renamed at any given time. Again since there is no universal naming standards, all this leads to confusion by the end user and those attempting to provide assistance.

Hackers and malware developers use a variety of methods, sophisticated techniques and attack vectors to target victims in order to spread their malicious  programs, steal your personal informal and/or compromise your computer. Criminals commonly rely heavily on social engineering and scams in an attempt to trick unsuspecting users so they can easily compromise and infect their devices. Cyber-criminals succeed because they take advantage of human weaknesses

 

Fact: It has been proven time and again that the user is a more substantial factor (weakest link in the security chain) than the architecture of the operating system or installed protection software.

Who writes malicious programs and Why? Hackers and malware writers come from different age groups, backgrounds, countries, education and skill levels...with varying motivations and intents. Most malware writers and cyber-criminals today treat it as a business venture for financial gain while "script kiddies" typically do it for the thrill and boosting a reputation as being a hacker among their peers. Below are a few articles which attempt to explain who these individuals are and why they do what they do.

Malware developers and attackers have been known to use spam emails, exploits, exploit kits, web exploits, malspam, malvertising campaigns, cryptojacking malware campaigns, fileless malware, non-malware attack, drive-by downloadssocial engineering, downloading software cracks, activators for Windows & Office, targeting managed service providers (MSPs), exploiting remote monitoring and management (RMM) software and RDP bruteforce attacks.

In some cases, criminals may use legitimate software such as Process Hacker to help facilitate the spread of malware. Process Hacker is a program used for viewing, managing, and manipulating processes and their threads/modules. However, it is one of several tools which can be used (misused) by hackers and malware developers during the compromise of a computer system/network in order to spread various types of malware and ransomware. Table 4 (page 8) shows a list of legitimate and open-source tools used by threat actors.

Many of the newer types of malware are designed to steal passwords and logins to banks, credit cards, board forums and similar other sensitive web sites before encrypting data as I explain in Section 8 Answers to common security questions - Best Practices (Post #1).

Attackers can use ransomware to download a password-stealer component to harvests all usable usernames and passwords from an infected system and send that information to its Command and Control (C&C) server. The Qilin ransomware group uses a tactic that deploys a custom stealer to steal account credentials stored in Google Chrome browser. FTCODE Ransomware has the ability to steal passwords from popular browsers such as Firefox, Chrome, Explorer and Microsoft Outlook.

Once the attacker gains administrative access remotely to a target computer they can create new user accounts or use a user not logged in to do just about anything including the ability to reset the passwords of other administrators'.

 

Keep in mind that the severity of infection will vary from system to system, some causing more damage than others especially when dealing with rootkits. The longer malware remains on a computer, the more opportunity it has to download additional malicious files and/or install malicious extensions for Internet browsers which can worsen the infection so each case should be treated on an individual basis. Severity of system infection will also determine how the disinfection process goes.

 

:step1: Rogue security programs are one of the most common sources of malware infection. Created by criminals, these programs infect computers by using social engineering and scams to trick a victim into spending money to buy a an application which claims to remove malware. Criminals use bogus warning messages and alerts to "indicate that your computer is infected with spyware or has critical errors" as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System. It is not uncommon for malware writers to use the names of well known security tools and legitimate anti-virus programs as part of the name for bogus and fake software in order to trick people into using them. There were at least two rogues that used part of or all of the Malwarebytes name including this Fake and Bundled Malwarebytes Anti-Malware 2.0. There also were rogues for SmitfraudFixTool, VundoFixTool, Spybot Search and Destroy and many more. Even Microsoft has been targeted by attackers using such names as MS Anti-virus and Windows Defender in naming schemes for rogue applications.

Rogue antispyware programs are responsible for launching unwanted pop ups, browser redirects and downloading other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkits which compromise the computer and make the infection more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:

 

:step2:  Ransomware is a sophisticated form of extortion in which the attacker either locks the computer to prevent access and demands money (ransom) to unlock it or encrypts a personal information (data files) and then demands money in exchange for a decryption key that can be used to retrieve the encrypted files. In most cases the greatest challenge to recovering the encrypted data has been the process of breaking the code of how the data is scrambled so it can be deciphered. Some forms of Ransomware act like rogue security software, generating bogus infection alerts and warnings to scare their victims. Older versions of ransomware typically claim the victim has done something illegal with their computer and that they are being fined by a police or government agency for the violation.
 

The most common kinds of ransomware include:

  • File encrypting ransomware which incorporates advanced encryption algorithms that is designed to encrypt data files and demand a ransom payment from the victim in order to decrypt their data. The first file encrypting ransomware variants used a symmetric-key algorithm but malware developers eventually upgraded to public-keys before moving on to use a combination of symmetric and public.
  • Locker ransomware which locks the victim out of the operating system so they cannot access their computer or it's contents to include all files, personal data, photos, etc. Although the files are not actually encrypted, the cyber-criminals still demand a ransom to unlock the computer.
  • Ranscam (fake ransomware scamming) is where the criminals use various scare tactics and threats to coerce victims into to paying a ransom demand. Some criminals behind Ranscam just delete victim's files since they had no intention of decrypting files after the ransom is paid regardless if they were actually encrypted in the first place.
  • Ransomware as a Service (RaaS) involves criminals renting access to a ransomware strain hosted anonymously by the ransomware author who offers it as a pay-for-use service. The author may handle all aspects of the attack (from distributing to collecting payments, restoring access) in return for a percentage of the ransom collected.
  • Master Boot Record ransomware is a variation of Locker ransomware which denies access to the full system by attacking low-level structures on the disk essentially stopping the computer's boot process and displaying a ransom demand. Some variants will actually encrypt portions of the hard drive itself.
  • Wiper/Eraser Ransomware is a class of malware that is designed to destroy files (overwrites data)...meaning the affected data is not recoverable...it is destroyed beyond repair.

As noted above, crypto malware (file encryptor ransomware) uses some form of encryption algorithms that prevents users from recovering files unless they pay a ransom or have backups of their data. Once the encryption of the data is complete, decryption is usually not feasible without contacting and paying the developer for a solution. Crypto malware typically encrypts any data file that the victim has access to since it generally runs in the context of the user that invokes the executable and does not need administrative rights. It typically will scan and encrypt whatever data files it finds on computers connected in the same network with a drive letter including removable drives, network shares, and even DropBox mappings...if there is a drive letter on your computer it will be scanned for data files and encrypt them.

 

US-CERT Alert (TA13-309A: Impact) has previously advised that many ransomware families have the ability to find and encrypt files located within network drives, shared (mapped network paths), USB drives, external hard drives (if connected) and even some cloud storage drives if they have a drive letter. Some ransomware will scan all of the drive letters that match certain file extensions and when it finds a match, it encrypts them. Other ransomware will use a white list of excluded folders and extensions that it will not encrypt. By using a white list, the ransomware will encrypt almost all non-system and non-executable related files that it finds.

Crypto malware ransomware typically propagates itself as a Trojan, although  Zcrypt was a self-replicating virus Hybrid distributed via malicious email attachments, then spread through removable USB drives. WannaCry was a worm distributed via an email malspam campaign that spread by exploiting vulnerabilities in the Windows operating system.

 

The first known ransomware attack was in 1989 by the AIDS Trojan which spread via floppy discs containing malicious code that installed itself onto MS-DOS systems. Ransomware reemerged in 2005–2009 with the Archiveus Trojan and GPcode attacking the Windows operating systems. In 2005, the Archiveus Trojan was the first ransomware to use RSA and asymmetrically encrypt files. In 2009 the Vundo virus emerged followed by the WinLock trojan in 2010. In 2012 a type of scareware dubbed Reveton was introduced which displayed messages to its victims claiming that it was US law enforcement and that the user had been detected viewing illegal pornography.

Ransomware spreads via a variety of attack vectors to include social engineering (trickery) and user interaction...opening a malicious email attachment (usually from spam or an unknown or unsolicited source), clicking on a malicious link within an email or on a social networking site and scams. Crypto malware can be disguised as fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and other financial institutions, or phony FedEx and UPS notices with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Another method involves tricking unwitting users into opening Order Confirmation emails by asking them to confirm an online e-commerce order, purchase or package shipment. Social engineering has become on of the most prolific tactics for distribution of all types of malwareidentity theft and fraud.
 

Many ransomwares will evade, circumvent and deactivate (disable) your anti-virus and security measures by design before encrypting data. Malware developers are very innovative. Modern ransomware often involves targeted attacks which makes it less detectable to antivirus and other security software since these threats avoid the usual detection methods. Ransomware developers can evade an antivirus by changing the code, encrypting it or modifying the signature string. Cybercriminals can also use other (multiple) techniques which an antivirus may not protect may not protect against such as phishing scamsfileless malwareofuscated malwarepolymorphic malwaremalicious PowerShell scriptDLL injection and even using a webcam to circumvent Endpoint Detection and Response (EDR}. Once infected by ransomware, an antivirus will not restore your encrypted files.

  • For more details about the limits of an anti-virus, see my comments in this topic (Post #4).

Attackers will use Shortened malicious URLs to mask a malicious link, obfuscating a malicious destination and malicious code (script) injection (i.e. JScript, JavaScript (.js) file). Another technique uses spam emails and social engineering to infect a system by enticing users to open an infected word document with embedded macro viruses and convince them to manually enable macros that allow the malicious code to run. Some victims have encountered crypto malware from ransomware malware executablesNW.js (node-webkit) package that contains Javascript code, spam containing attachments with zipped .js files or following a previous infection from one of several botnets such as Zbot (frequently used in the cyber-criminal underground) which downloads and executes the ransomware as a secondary payload from infected websites. Nemucod is a well-known JavaScript malware family that arrives via spam email and downloads additional malware to include ransomware variants.

Threat Bulletin: Ransomware 2020 - State of Play

During the latter half of 2019 and early 2020, the BlackBerry Research and Intelligence Team observed cyber-criminal gangs utilizing advanced tactics to infiltrate and ultimately extort money from victims using several prominent ransomware families (E.G.: Ryuk, Sodinokbi1 and Zeppelin2), with a distinct shift from widespread, indiscriminate distribution to highly targeted campaigns often deployed via compromised Managed Security Service Providers (MSSPs).

Ransomware can also be delivered via malspam, malvertising campaigns, cryptojacking malware campaigns, downloading

software cracks, pirated softwareadware bundlesfake Windows updatefake Microsoft Teams updates, fake/illegal activators for Windows & Office, targeting managed service providers (MSPs), exploiting Remote Monitoring and Management (RMM) Software (or any remote assistance), fileless malware, non-malware attack, posing as a folder on removable drives, drive-by downloads when visiting compromised web sites, exploitsexploit kits.

 

An Exploit Kit is a malicious tool with pre-written code used by cyber criminals to exploit vulnerabilities (security holes) in outdated or insecure software applications and then execute malicious code. The Angler, RIG, Magnitude, Neutrino, and Nuclear exploit kits are among the most popular.

Another scenario involves hackers utilizing Remote Desktop Protocol (RDP), a very common brute force attack vector for servers particularly by those involved with the development and spread of ransomware since if enabled, it allows connections from the outside. Attackers will use remote port scanning tools to scan enterprise computer systems, searching for RDP-enabled endpoints commonly used to login from outside the workplace. When the attacker finds a vulnerable RDP-enabled endpoint they use a barrage of login attempts by guessing or brute force attacking the password. Attackers can also use phishing of a company employee to gain access and control of their machine, then use that access to brute-force RDP access from inside the network.

 

Kaspersky labs reports brute force attacks against RDP servers are on the rise. EclecticIQ researcher Arda Büyükkaya has reported ransomware gangs creating tools to automate firewalls and VPN brute-force attacks.

Once the attacker gains administrative access remotely to a target computer they can create new user accounts or use a user not logged in to do just about anything. The attacker can use remote access tools to introduce and execute crypto malware, generate the encryption keys, encrypt data files and upload files back to the them via the terminal services client. The attacker can steal unencrypted files from backup devices and servers before deploying the ransomware attack as explained here by Lawrence Abrams, site owner of Bleeping Computer.

 

IT admins and home users should close RDP if they don't use it. If they must use RDP, the best way to secure it is to only allow RDP from local traffic, whitelist IP's on a firewall or not expose it to the Internet. Put RDP behind a firewall, setup a VPN to the firewal, use an RDP gateway, change the default RDP port (TCP 3389) and enforce strong password policies, especially on any admin accounts or those with RDP privileges. You may even want to consider using a host-based intrusion prevention system (HIPS).  Brute force RDP attacks depend on your mistakes.

In addition to searching for devices with exposed RDP or weak passwords that can be exploited by brute-force attacks, criminals are also using that access to  routinely search for and destroy backups or simply delete your backups.

Another common method to spread ransomware is by using pirated softwarefake/illegal activators for Windows & Office and other cracked software. These programs are not only considered illegal activity in many countries but they are a serious security risk (unsafe practice) which can make your system susceptible to a smörgåsbord of malware infections including encryption of all your most valuable data, in many cases beyond recovery.

There also have been reported cases where ransomware has spread via YouTube ads and on social media. See Section 6 for more information about this and the dangers of using social media.

RaaS (Ransomware as a Service) is a ransomware hosted on the TOR network that allows "affiliates" to generate a ransomware and distribute it any way they want. The RaaS developer will collect and validate payments, issue decrypters, and send ransom payments to the affiliate, keeping 20% of the collected ransoms.

 

Most security experts will advise against paying the ransom demands of the malware writers. I explain why in this topic. (Post #17) There are also suggestion for the best defensive strategy to protect yourself from malware and ransomware (crypto malware) infection.

 

Note: For victims who are dealing with an NAS (Network Attached Storage) Linux-based device, the malware most likely infected a Windows-based machine and encrypted the NAS over the network. The criminals could also connect via Samba/SMB (Server Message Block) and run the malware from their system to encrypt files over the Internet which essentially is the same as encrypting files over a network-mapped drive. Attackers have been known to exploit the SQL Injection Vulnerability in Multimedia Console and the Media Streaming Add-On and Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync to execute the ransomware on vulnerable devices. Hacking passwords, OpenSSH vulnerabilities exploiting security vulnerabilities and software are common attack vectors.

Up close and personal with Linux malware

Compared to Windows malware, Linux malware tends to be less obfuscated and easier to analyze. Obfuscation is often added to evade detection by security products. Since there are often no security products to bypass, the bar is lower and attackers skip this unnecessary step.

:step3: Infections spread by malware writers and attackers exploiting unpatched security holes or vulnerabilities in older versions of popular software such as Adobe, Java, Windows Media Player and the Windows operating system itself. Software applications are a favored target of malware writers who continue to exploit coding and design vulnerabilities with increasing aggressiveness.

Tools of the Trade: Exploit Kits

Exploit kits are a type of malicious toolkit used to exploit security holes found in software applications...for the purpose of spreading malware. These kits come with pre-written exploit code and target users running insecure or outdated software applications on their computers.

To help prevent this, install and use Secunia Personal Software Inspector (PSI), a free security tool designed to detect vulnerable and outdated programs/plug-ins which expose your computer to malware infection.

 

:step4: A large number of infections are contracted and spread by visiting gaming sitesporn sites, using pirated software (warez), cracking toolshacking tools and keygens where visitors may encounter drive-by downloads through exploitation of a web browser or an operating system vulnerability. Security researchers looking at World of Warcraft and other online games have found vulnerabilities that exploit the system using online bots and rootkit-like techniques to evade detection in order to collect gamer's authentication information so they can steal their accounts. Djvu (STOP) Ransomware has been found to spread by downloading software cracks and adware bundles.

 

Dangers of Gaming Sites:

The design of online game architecture creates an open door for hackers...[who] go where the pickings are easy -- where the crowds gather. ...security experts warn game players that they face a greater risk of attack playing games online because few protections exist....traditional firewall and antimalware software applications can't see any intrusions. Game players have no defenses...Online gaming sites are a major distribution vehicle for malware....

Dangers of Cracking & Keygen Sites:

Downloads of illegal software are frequently stuffed full of dangerous malware. A report by security company Cybereason estimates that over 500,000 machines have been infected by malware from just one cracked app....

When you use these kind of programs, be forewarned that some of the most aggressive types of malware infections can be contracted and spread by visiting/using crack, keygen, warez and pirated software sites. In many cases, those sites are infested with a smörgåsbord of malware and an increasing source of system infection which can result in the encryption of all your most valuable data, in many cases beyond recovery. That means your personal data (documents, pictures, videos) may be lost forever.

 

:step5: Infections spread by using torrentpeer-to-peer (P2P) and file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. In some cases the computer could be turned into a botnet or zombie. File sharing networks are thoroughly infected and infested with malware according to Senior Virus Analyst,Norman ASA. Malicious wormsbackdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites.

Further, users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious flash ads (Malvertising) that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Hackers are also known to exploit Flash vulnerabilities which can lead to malware infection. When visiting a website that hosts an HTML page which requires a Flash script, users may encounter a malicious flash redirector or malicious script specifically written to exploit a vulnerability in the Flash Interpreter which causes it to execute automatically in order to infect a computer.

:step6: Social Media networking sites can be a breeding ground for spreading malware infection so they can be considered a significant security risk if you're not careful when visiting and using them. Even legitimate websites can be dangerous.

At least one in 10 suspicious-looking webpages studied by Google were indeed booby-trapped with malware...[the] research team found that 450,000 pages, out of a sample of 4.5 million dodgy pages that deserved a closer look, contained scripts to install malicious code...

Cyber-criminals are very innovated and rely heavily on social engineering (trickery) to target users on social media sites. As such, Facebook, Twitter (X), MySpace, YouTube, etc) can all be a significant security risk, making you the victim of all sorts of criminal activity and your computer susceptible to a smörgåsbord of malware infections if you're not careful.

 

Security Researchers have reported finding porn based malware on Faceook. The Koobface Worm has been found to attack both Facebook and MySpace users. The Koobface Worm has been found to attack both Facebook and MySpace users. NSFW malware (NodeStealer) was reported to target Facebook users. Virus Bulletin has reported MySpace attacked by worm, adware and phishing. Some MySpace user pages have been found carrying the dangerous polymorphic Virut file infectorMalware has been discovered on YouTube and it continues to have a problem with malware adsMSN MessengerAIM and other Instant Messaging programs are also prone to malware attacks.

:step7: Infections can spread when using a flash drive. In fact, one in every eight malware attacks occurs via a USB device. This type of infection usually involve malware that modifies/loads an autorun.inf (text-based configuration) file into the root folder of all drives (internal, external, removable) along with a malicious executable. Autorun.inf can be exploited to allow a malicious program to run automatically without the user knowing since it is a loading point for legitimate programs. When removable media such as a CD/DVD is inserted (mounted), autorun looks for autorun.inf and automatically executes the malicious file to run silently on your computer.

 

For flash drives and other USB storage, autorun.ini uses the Windows Explorer's right-click context menu so that the standard "Open" or "Explore" command starts the file. Malware modifies the context menu (adds a new default command) and redirects to executing the malicious file if the "Open" command is used or double-clicking on the drive icon. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Keeping autorun enabled on USB and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. As such, many security experts recommend you disable Autorun as a method of prevention.

:step8: Other types of infections spread by downloading malicious applets, Clickjacking or by visiting legitimate web sites that have been compromised through various hacking techniques (i.e. Cross-Site Scripting, Cross-Site Request Forgery) used to host and deliver malware via malicious code, automated SQL Injection (injecting HTML code that will load a JavaScript redirector) and exploitation of the browser/operating system vulnerabilities.

...More than 90 percent of these webpages belong to legitimate sites that have been compromised through hacking techniques such as SQL Injection...Hackers are apparently planting viruses into websites instead of attaching them to email. Users without proper security in place get infected by simply clicking on these webpages.

One webpage gets infected by virus every 5 seconds
 
:step9: Phishing is an Internet scam that uses spoofed email and fraudulent Web sites which appear to come from or masquerade as legitimate sources. The fake emails and web sites are designed to fool respondents into disclosing sensitive personal or financial data which can then be used by criminals for financial or identity theft. The email directs the user to visit a web site where they are asked to update personal information such as passwords, user names, and provide credit card, social security, and bank account numbers, that the legitimate organization already has. 

 

Spear Phishing is a highly targeted and coordinated phishing attack using spoofed email messages directed against employees or members within a certain company, government agency, organization, or group. These fraudulent emails and web sites, however, may also contain malicious code which can spread infection.

 Pharming is a technique used to redirect as many users as possible from the legitimate commercial websites they intended to visit and lead them to fraudulent ones. The bogus sites, to which victims are redirected without their knowledge, will likely look the same as a genuine site. However, when users enter their login name and password, the information is captured by criminals. Pharming involves Trojans, worms, or other technology that attack the browser and can spread infection. When users type in a legitimate URL address, they are redirected to the criminal's web site. Another way to accomplish these scam is to attack or "poison the DNS" (domain name system) rather than individual machines. In this case, everyone who enters a valid URL will instead automatically be taken to the scammer's site.
 
:step10: Tech Support Scamming through unsolicited phone callsbrowser pop-ups and emails from "so-called Support Techs" advising "your computer is locked or infected with malware"“All Your Files Are Encrypted""suspicious ransomware activity" and other fake "alert messages" has become an increasing common scam tactic over the past several years. If you call the phone number (or they called you), scammers will talk their victims into allowing them remote control access of the computer so they can install a Remote Access Trojan in order to steal passwords and other sensitive personal information which could then be used to access bank accounts or steal a person's identity.

 
Tech Support scams have become so prolific that the FBI and other government agencies have released warnings to the public.

Extortion/Sextortion Scamming is a tactic involving phishing emails / email spoofing sent to unsuspecting victims where the criminals make various threats with demands for money in exchange to keep sensitive, personal, salacious, derogatory information (photos, videos) they allegedly claim to have collected about you from being published or sent to family, friends, coworkers, social media contacts. The scammers may claim they hacked your computer, know your password and have access to all social media accounts, email, chat history and contact lists. They may also claim to have had access to your webcam and have compromising photos or videos of you watching pornography on an adult web site or pleasuring yourself while watching porn.

Finally, backing up infected filescan be source of reinfection (or reinfection) if not performed properly. The safest practice is not to backup any high-risk executable files (.exe extension, screensavers (.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml) files because they could be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the executable files within them. Some types of malware may disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions.

Now that you know How malware spreads, you may want to read Best Practices for Safe Computing - Prevention which includes tips to protect yourself against malware and ransomware infection.

 

 

Authors Note: Some of the information in these topics is redundant but folks just viewing a single topic or two may not have read any of the others so I don't want them to miss out. The redundancy also reinforces the importance of the information provided in certain topics. 

 
My thanks to Grinler (Lawrence Abrams), the site owner of Bleeping Computer who has been like a mentor since I joined BC. I also want to thank the forum staff, and the many malware removal/security experts I have learned from and worked with over the years...too many to name individually but many I now consider colleagues and friends. Without all of them I could not have written these topics to share with others.

 

Updated: 12/15/25


Edited by quietman7, 15 December 2025 - 05:06 PM.

.
.
Microsoft MVP Alumni 2023Windows Insider MVP 2017-2020, MVP Reconnect 2016-2023

Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITEUnified Network of Instructors and Trusted Eliminators
Retired Police Officer, Federal Agent and Coast Guard Chief

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 

Back to Anti-Virus, Anti-Malware, and Privacy Software


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users


  1. BleepingComputer Forums
  2. Security
  3. Anti-Virus, Anti-Malware, and Privacy Software
  4. Privacy Policy
  5. Rules ·