Hello everyone,
I wrote another thread here you may be interested in reading before proceeding to read this thread: http://malwaretips.com/threads/always-check-your-links.45370/
I am sure most of you here download new programs all the time from the internet. Which is why I have made this thread - to give you some tips you may carry out before allowing new programs you are unsure of or have not used before to run.
These are just SOME tips and do not necessarily make up to what is/could be malicious software. But, could relate to some traits.
1). Check for a digital signature
Not all legitimate software has a digital signature, and malicious software can also be digitally signed but I still recommend you check if the newly downloaded program is signed or not.
Not all legitimate software is digitally signed most likely since it doesn't come free. There is a price tag on getting your program signed.
To check if a program is digitally signed, check the following spoiler:
If you find a program bundled with an unsigned *.sys (driver) file, then I would be alert. It's possible it's legitimate but I would not personally trust it if I were you.
2). Does the program require Administrator rights to function properly?
Of course you may not know this in some cases until you've actually ran the program. However, does the program need Administrator rights to start? To check, see the following spoiler:
If the program does not have a digital signature and requires Administrator rights to run then this is a disadvantage. But it DOES NOT mean it's just malicious software because there are still programs which are legitimate which are in this situation (more than you think).
3). Where did the program come from?
If you just downloaded an Adobe Flash Update, make sure you know where it came from. Download from the official websites only. For example, if you need to download Photoshop, get it from Adobe who provide it, not off a website from a Google Search which are NOT Adobe.
If you need Google Chrome, get it from Google [http://www.google.com/chrome/], as another example.
If you download software from anywhere and not the original source, chances are you are more vulnerable to receiving Adware/PUP and/or malicious software without being aware until after executing it.
4). Check the copyright value
If you have downloaded a program and you know it is not provided by a company like Microsoft, Adobe, Piriform, Yahoo, or a security vendor like Avast and check the copyright entry and it turns out the author has set the copyright value to be the name of another brand, then you should be alert and have a suspicion.
Malware writers do indeed sometimes attempt to trick people through a false claim to the company name. This is where a Digital Signature is once again handy - does the digital signature fit with the copyright name claim on the file information?
If there is NO copyright information or it's been faked to seem like another legitimate and trusted vendor like Microsoft, then you should also be suspicious of this program.
Also check other information like the Product name values. These may also be left out which is a suspicious sign.
Check the following spoiler to learn how to check the copyright of a program. In the spoiler, I actually use a malware sample as an example:
5). Check the program icon
This may sound like a very silly tip but seriously, I am not joking. Check the file icon.
If there is the default application icon and this is meant to be a good product like Photoshop, Adobe Flash Player, Google Chrome, Visual Studio, Skype,... Then surely it would have an icon set for it other than the standard application icon.
If it has some random name of characters or is named after another product, is unrelated to ZIP/RAR archives and the icon is set to a glossy icon of WinRAR, then this is suspicious << example.
Of course some software may have the default icon, but... Most legitimate vendors who wish to succeed, set an icon related to their product!
6). Check for double extensions
If you find double extensions, then be alert. For example, is it trying to trick you into believing it's a ZIP when it's really an executable (*.exe)?
An example of a double extension:
As we can see, it has a ".zip" in it when it's really a ".exe" (executable). Spot this and it's a suspicious sign. It may also be something else like *.png, *.jpg, *.jpeg, *.psd, *.dat,... as the double extension
7). Check any bad history of the vendor
When you try out new software, it's probably best you know about the company providing it. Even a quick Google Search can help you.
Has anyone here heard of "Search Protect"? You really do not want this... Let's do a Google Search:
The results speak for themselves really. A trusted vendor, BitDefender, made a Removal Guide. Tells you everything you need to know: AVOID IT!
8). Check VirusTotal ratio
After downloading new software, you may wish to check the detection ratio with other vendors over at https://www.virustotal.com. This service is currently owned by Google.
One detection may not mean it's malicious software but potentially a false positive. Same applies for 2 detections. However, check which vendor is detecting it. I would say an example of a vendor to trust would be ESET, Kaspersky or Emsisoft (unless it's a BitDefender detection, of course then it has more chance of being a False Positive).
9). Sandbox/Virtualize it first
You may wish to sandbox/run in a Virtual Machine before trying it on your main system. This can help you stay safe since if it does turn out to be malicious software/adware/PUP, you've managed to avoid it! You'd be a few clicks of having it cleaned as opposed to it persisting on your main machine.
10). File size
Have suspicions of the file size? Malicious software can typically be relatively small. However, so can legitimate software.
Virus samples may be very small. This may be because all they would need to do is maybe infect one file. Then after you open this file, the injected code causes it to execute the process of infecting another file ,... And then return to usual execution. This means it can be a small sample and easily shared around but still be effective, because if you open up programs and they infect another one not already infected it can spread all over your system very quickly, including to your system files, meaning when you boot up your system them the infected system files may then infect another file and the process is continuous.
As a note: Adware/PUPs do tend to be digitally signed. However, they also tend to have the file details correctly filled in and also Administrator priveleges (not always the case).
Write your recommendations and tips for people below. I cannot think of every good idea, hopefully someone can help me out and fill in some missed gaps.
I will leave the thread now with 10 points to start with, however I'll be back with a whole new set of tips before you know it.
Cheers.
I wrote another thread here you may be interested in reading before proceeding to read this thread: http://malwaretips.com/threads/always-check-your-links.45370/
I am sure most of you here download new programs all the time from the internet. Which is why I have made this thread - to give you some tips you may carry out before allowing new programs you are unsure of or have not used before to run.
These are just SOME tips and do not necessarily make up to what is/could be malicious software. But, could relate to some traits.
1). Check for a digital signature
Not all legitimate software has a digital signature, and malicious software can also be digitally signed but I still recommend you check if the newly downloaded program is signed or not.
Not all legitimate software is digitally signed most likely since it doesn't come free. There is a price tag on getting your program signed.
To check if a program is digitally signed, check the following spoiler:
1). Find the program you want to use to check for a digital signature.
2). Right click > Properties
3). From the Properties window which will popup, navigate to the "Digital signatures" tab
4). If there is a digital signature, it will be listed. If there isn't even a tab for it, then the program is not signed.
HOWEVER, you must check the signature... Double click on the item in the box. For our case this is: "BitTorrent Inc ...." for the "Name of signer". You will get another window:
It was signed by Symantec as we can see in that dialog (VeriSign - it's owned by Symantec). However, at the top of this dialog we can see it says "This digital signature is OK". If you see a negative warning about a digital signature, then don't be afraid to be curios and alert as it's understandable and reasonable in that situation.
The Advanced tab of this window has more extensive information regarding the digital signature.
2). Right click > Properties
3). From the Properties window which will popup, navigate to the "Digital signatures" tab
4). If there is a digital signature, it will be listed. If there isn't even a tab for it, then the program is not signed.
HOWEVER, you must check the signature... Double click on the item in the box. For our case this is: "BitTorrent Inc ...." for the "Name of signer". You will get another window:
It was signed by Symantec as we can see in that dialog (VeriSign - it's owned by Symantec). However, at the top of this dialog we can see it says "This digital signature is OK". If you see a negative warning about a digital signature, then don't be afraid to be curios and alert as it's understandable and reasonable in that situation.
The Advanced tab of this window has more extensive information regarding the digital signature.
If you find a program bundled with an unsigned *.sys (driver) file, then I would be alert. It's possible it's legitimate but I would not personally trust it if I were you.
2). Does the program require Administrator rights to function properly?
Of course you may not know this in some cases until you've actually ran the program. However, does the program need Administrator rights to start? To check, see the following spoiler:
1). Locate the target program (I'll be using FRST (Farbar Recovery Scan Tool) as an example).
2). Check the icon. Does it have the UAC icon provided by Windows?
Of course some programs such as installers may not require Administrator rights to start with but as you progress with the installation will request it through the UAC alert.
2). Check the icon. Does it have the UAC icon provided by Windows?
Of course some programs such as installers may not require Administrator rights to start with but as you progress with the installation will request it through the UAC alert.
If the program does not have a digital signature and requires Administrator rights to run then this is a disadvantage. But it DOES NOT mean it's just malicious software because there are still programs which are legitimate which are in this situation (more than you think).
3). Where did the program come from?
If you just downloaded an Adobe Flash Update, make sure you know where it came from. Download from the official websites only. For example, if you need to download Photoshop, get it from Adobe who provide it, not off a website from a Google Search which are NOT Adobe.
If you need Google Chrome, get it from Google [http://www.google.com/chrome/], as another example.
If you download software from anywhere and not the original source, chances are you are more vulnerable to receiving Adware/PUP and/or malicious software without being aware until after executing it.
4). Check the copyright value
If you have downloaded a program and you know it is not provided by a company like Microsoft, Adobe, Piriform, Yahoo, or a security vendor like Avast and check the copyright entry and it turns out the author has set the copyright value to be the name of another brand, then you should be alert and have a suspicion.
Malware writers do indeed sometimes attempt to trick people through a false claim to the company name. This is where a Digital Signature is once again handy - does the digital signature fit with the copyright name claim on the file information?
If there is NO copyright information or it's been faked to seem like another legitimate and trusted vendor like Microsoft, then you should also be suspicious of this program.
Also check other information like the Product name values. These may also be left out which is a suspicious sign.
Check the following spoiler to learn how to check the copyright of a program. In the spoiler, I actually use a malware sample as an example:
1). Locate the target program
2). Right click > Properties
3). Navigate to the "Details" tab.
4). Information is provided on this tab.
Haha, the file name was very interesting... Because it's definitely not suspicious...
Regardless, as we can see the Copyright, Product name, File version has been left out and ignored.
I am sure legitimate software would have this filled in. Of course, malicious software can still have this information...
2). Right click > Properties
3). Navigate to the "Details" tab.
4). Information is provided on this tab.
Haha, the file name was very interesting... Because it's definitely not suspicious...
Regardless, as we can see the Copyright, Product name, File version has been left out and ignored.
I am sure legitimate software would have this filled in. Of course, malicious software can still have this information...
5). Check the program icon
This may sound like a very silly tip but seriously, I am not joking. Check the file icon.
If there is the default application icon and this is meant to be a good product like Photoshop, Adobe Flash Player, Google Chrome, Visual Studio, Skype,... Then surely it would have an icon set for it other than the standard application icon.
If it has some random name of characters or is named after another product, is unrelated to ZIP/RAR archives and the icon is set to a glossy icon of WinRAR, then this is suspicious << example.
Of course some software may have the default icon, but... Most legitimate vendors who wish to succeed, set an icon related to their product!
6). Check for double extensions
If you find double extensions, then be alert. For example, is it trying to trick you into believing it's a ZIP when it's really an executable (*.exe)?
An example of a double extension:
As we can see, it has a ".zip" in it when it's really a ".exe" (executable). Spot this and it's a suspicious sign. It may also be something else like *.png, *.jpg, *.jpeg, *.psd, *.dat,... as the double extension
7). Check any bad history of the vendor
When you try out new software, it's probably best you know about the company providing it. Even a quick Google Search can help you.
Has anyone here heard of "Search Protect"? You really do not want this... Let's do a Google Search:
The results speak for themselves really. A trusted vendor, BitDefender, made a Removal Guide. Tells you everything you need to know: AVOID IT!
8). Check VirusTotal ratio
After downloading new software, you may wish to check the detection ratio with other vendors over at https://www.virustotal.com. This service is currently owned by Google.
One detection may not mean it's malicious software but potentially a false positive. Same applies for 2 detections. However, check which vendor is detecting it. I would say an example of a vendor to trust would be ESET, Kaspersky or Emsisoft (unless it's a BitDefender detection, of course then it has more chance of being a False Positive).
9). Sandbox/Virtualize it first
You may wish to sandbox/run in a Virtual Machine before trying it on your main system. This can help you stay safe since if it does turn out to be malicious software/adware/PUP, you've managed to avoid it! You'd be a few clicks of having it cleaned as opposed to it persisting on your main machine.
10). File size
Have suspicions of the file size? Malicious software can typically be relatively small. However, so can legitimate software.
Virus samples may be very small. This may be because all they would need to do is maybe infect one file. Then after you open this file, the injected code causes it to execute the process of infecting another file ,... And then return to usual execution. This means it can be a small sample and easily shared around but still be effective, because if you open up programs and they infect another one not already infected it can spread all over your system very quickly, including to your system files, meaning when you boot up your system them the infected system files may then infect another file and the process is continuous.
As a note: Adware/PUPs do tend to be digitally signed. However, they also tend to have the file details correctly filled in and also Administrator priveleges (not always the case).
Write your recommendations and tips for people below. I cannot think of every good idea, hopefully someone can help me out and fill in some missed gaps.
I will leave the thread now with 10 points to start with, however I'll be back with a whole new set of tips before you know it.
Cheers.
