6

On a friend's computer is some kind of spam bot installed. It sends messages like

Hello:

I received my apple iPad 32GB ordered on an online shop (www.elevalley.com ) today. So exciting , it's genuine and as good as they promised ,but much cheaper than it is in our country .Glad to share this news with you . Cheers! May all goes well for you. Kind regards

via Yahoo. Only the web email interface is used, no desktop email program. A current virus scanner and Ad-Aware had been installed recently but they did not find anything.

I noticed that in Internet Explorer and Firefox the Yahoo Toolbar is installed. Checking out the extensions dialogue, Firefox said it had an old version of Yahoo Toolbar and that it cannot upgrade it to provide security fixes. After some Googling I found that:

  1. someone else had the same problem with a Yahoo account
  2. that version of Yahoo Toolbar (though another build date) has a known Buffer Overflow vulnerability

I removed Yahoo toolbar, installed Zone Alarm and Firefox 4. The question is: What to do?

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
Philip
  • 209
  • 2
  • 7

3 Answers3

4

First thing: change the Yahoo password. Since the scanners didn't come up with anything, most likely, the exploit grabbed the saved password from somewhere on the computer, and sent that password to its home server. The emails then aren't being sent from your friend's computer; they are just using your friend's password.

pkaeding
  • 1,034
  • 7
  • 12
  • Thank you, indeed the emails are send via the Yahoo account. The mail are still visible in the sent folder... – Philip Nov 22 '10 at 23:25
1

I recommend you take the following steps:

  1. Run a full anti-virus scan of the machine's hard disk. Your friend's machine might have been infected with malware. Use some reputable anti-virus software and ask it to perform a complete scan. Remove any malware detected.

  2. Update all the software. Run Windows Update. Update his browser. Download Secunia PSI and run it to detect other software that needs to be updated. Make sure all the software is fully up-to-date. This ensures that he has the proper security patches, so he is not hacked again. I encourage you to modify his system settings so Windows Update is set to automatically update, and same for other software he has installed (e.g., Java). You might also want to leave Secunia PSI installed and running on every boot, so that it notifies him if he needs to update his software.

  3. Change his Yahoo password. Malware on your friend's machine might have captured his Yahoo password, so change it to a new one that is hard to guess. He might also want to change his other passwords.

  4. Make sure his machine is regularly backed up. Set him up with some kind of solution to automatically and regularly back up his machine. Having backups is one of the best safeguards you can have against malware, because you know you'll always have the data in case you need to re-install your machine.

This is not perfect. It is not guaranteed to remove malware. Particularly pernicious malware might survive this. The only way to really guarantee that your machine is clean is to re-install the OS and all software from a known-good source; but that is more disruptive. For everyday purposes, a clean re-install is probably not needed -- the above will probably suffice for your purposes (though there are no guarantees, of course).

If your friend continues to experience problems, another simple alternative is to recommend he consider getting a Mac in the future.

D.W.
  • 98,860
  • 33
  • 271
  • 588
1

Well, it seems that your computer is not anymore under your control. Some attacker manages to send spam mail. Maybe he is also able to read your harddrive etc. However there is no good way to clean your system simply by deleting or changing some files. The best and only way to get rid is a fresh install. Maybe you want to read Help: I Got Hacked. Now What Do I Do? by Microsoft's Security Program Manager. He writes:

The only way to clean a compromised system is to flatten and rebuild. That’s right.

The next step is to change all passwords (not only the Yahoo! one), because the attacker could have read out any password. Your friend should choose safe passwords.

qbi
  • 1,611
  • 2
  • 14
  • 27
  • Thanks for your answer. Yes it's quite a risk, the passwords have been changed already. (And backups of important data has been done.) But I assume (hope) the attacker is just interested in sending Spam mails. I thought next time I'll be there. I might monitor the traffic with Wireshark on my Laptop and see if there is any suspicious traffic... – Philip Nov 22 '10 at 23:31