For the most part, we all know what NOT to do when it comes to security best practices. We all know not to click on unsolicited links embedded in e-mail or IM. We all know not to open any strange attachments or respond to suspicious or unfamiliar e-mails. And most people know that many--but certainly not all--of those surveys trolling around Facebook will probably send a viral worm or some kind of infection to everyone on your contact list.
But what happens if—in a moment of weakness—we unintentionally do click on a link -- despite all of our security acumen? What then?
Rick Popko in Fortinet’s marketing department found this out the hard way when he received a bogus e-mail from a “Byran Chacon” claiming that he had three unread LinkedIn messages.
“I thought to myself, 'I was just on LinkedIn and forgot to check if I had any messages in my inbox. I'll just take this shortcut to get back there,'” Rick said. “And then I clicked on the link.”
Big mistake. Rick realized too late that the link was bogus when it redirected him to a white browser screen. “I knew in an instant that I screwed up and shut my browser before the page could fully load,” he said.
Sure enough, when he reevaluated the URL embedded in the email by placing his cursor over it, he could see that it was pointing to a different address. For all his security expertise, Rick had inadvertently become the victim of a redirect attack that had the potential of installing malicious code onto his computer.
Wondering if people out there have been just as easily tricked as he was, Rick created a poll on Fortinet’s Facebook page and Blog. Out of close to 50 respondents, more than half admitted they’ve been duped at least once into clicking on a URL that redirected them to an unexpected page.
Stop, Drop and Roll
Should you ever find yourself in Rick’s shoes, there are a few steps you can take in those critical and panicked moments between realization and actual infection.
If the user realizes what happens before the redirect is fully completed, they can forcibly terminate the browser. Those running Windows systems can either use Task Manager or Process Explorer to effectively and abruptly end the browser process. But a safer approach is shutting down the entire system, immediately disconnecting the computer, and then re-booting the machine.
By disconnecting the computer from the Internet, either physically or logically, users can reduce the risk of the browser retrieving and reloading the malicious page once restarted, while also preventing a locally cached copy of the page from reaching its command and control center for further instructions. And while offline, users can safely restart their Web browser and clear out the cache so it doesn't try to reconnect to the malicious page.
In any case, whether the malicious Web page was thwarted or not, users will need to determine if they actually are infected with malware, which can be achieved with an “offline” scan of the hard-drive with a wide range of standard AV tools. Also experts contend that certain infections through rootkits can hook and evade detection from online scans out of the resident operating system, so the system appears clean when in fact it is not.
'It's best to scan using an offline utility, booting through something like a thumbdrive or CD,” says Derek Manky, Fortinet senior security strategist. “Scanning your drive from a possibly corrupted system doesn't make much sense.”
Subsequent courses of action will also be contingent upon the version of Windows that is being run. “This plays a significant role, as on later versions of Windows (eg: Windows 7) anti-exploitation ‘generic’ measures (eg: DEP, ASLR) reduce the exploits effectiveness rate,” says Guillaume Lovet, senior manager at Fortinet EMEA Research and Response Center.
And of course, users will also need to ensure that they have their browser and OS installed with the latest, most up-to-date security patches and updates.
The results produced by the scan will then determine the next steps users can take to bolster their system's security and/or rid their machine of malware. If users do find themselves in the precarious situation of being infected with malware, there are a slew of security measures they can take to rid their systems of the threat and protect their machines from further damage.
But that's another story.