Recognizing Computer Threats: Email

By Chris Williams

Promotional email

Chances are, if you see an unsolicited email that appears to originate from a company that you don’t recall signing up for, it’s probably spam or phishing. Since many retailers require double opt-ins now, it’s more difficult to get “accidentally” registered for an email subscription than it was a decade ago. Regardless, we recommend doing a follow-up with the company in question just to be sure; our goal is to rule out the possibility that your email account was hacked (see previous posts on compromised email accounts for a primer on this topic).

When dealing with a potential phishing email do not use the URL, email address, or phone number provided within the suspicious communication; instead look up the company’s information via your preferred search engine, making sure you are on the company’s direct website (not a competitor, affiliate, or knock-off). If the message is a scam the contact info provided won’t usually point to the real entity—it will more likely take you to a fake site that will attempt to capture your credentials or trick you into installing malware.

Scenario: fake offer with malicious “unsubscribe” link

Tom signs into his Gmail account and reads the contents of his inbox. He sees a bunch of ads for games and T-shirts he’d like to have, along with an advertisement from a company he doesn’t remember doing business with: “”. Maybe someone registered his email address on their mailing list due to a typo? No problem: Tom simply clicks the Unsubscribe link down at the bottom of the email message, expecting it to take him to a website where he can manage his “subscription”; only one problem, the email was actually a phishing scam, and the moment his browser navigated to the malicious URL (disguised as the Unsubscribe link, of course) it started a drive-by-download which infected his system with malware. Antivirus warnings start flashing and the threat is neutralized—or is it?

What could Tom have done differently? For starters, he could have done a Google search on this company to make sure it’s even real. Sometimes phishing emails are convincing, sophisticated messages with official-looking logos (stolen from PayPal, Amazon, etc.); sometimes they are terrible hacks with bad grammar and poor punctuation. In the latter case, the companies being represented may or may not even exist.

Let’s discuss our hypothetical in a bit more detail:

If came up as a search result via a reliable search engine such as Google, at least Tom would know that the company isn’t totally fictitious. However, that doesn’t mean the communication itself is legit, so we must dig a bit deeper.

Both the web address and phone number for should be published online. Tom can simply navigate to their site (again, using a reliable search engine to locate it) and find whatever contact info he needs to verify his “subscription”. He can call, email, or see if they offer a way to manage email opt-outs directly on the site.

Let’s assume there is no email address or subscription management feature on the site. No problem! A phone call to customer service will suffice. We expect one of two scenarios to occur:

  • Tom calls and speaks to an agent, provides his information, and is told that his email address is not on file with


  • Tom calls and speaks to an agent, provides his information, and learns that he was in fact signed up for promo emails. He then unsubscribes, assuming at this point that it was due to a mistake (maybe his address is similar to another user’s—it’s pretty commonplace for that to occur).

Malicious attachments

“What if there’s no URL in the body of the message? Perhaps the email just has a harmless little .zip file attached… no way that can be bad, right?”

Malicious attachments are one of the most insidious vectors used to infect victims with malware; within this category of threat, there are perhaps two major methodologies in widespread use: disguising the attachment’s file extension, and hiding the payload inside “real” data. An example of the former would be a malicious file masquerading as a .pdf file or Word document; an example of the latter would be a Macro-enabled Excel workbook that runs a malicious script when opened.

Fortunately, many email filtering systems can be configured to block any attachments with mismatched file extensions (the file extension shown in the document name doesn’t match its actual file type), and most systems can simply blacklist certain “high-risk” file extensions altogether. For instance, files with .zip extensions are often blocked entirely by anti-spam platforms; this is because they are so prevalent in phishing campaigns and very effective. As long as the file containing the payload is still zipped it will typically appear clean to antivirus software. While there may be a window of time to scan the file and prevent infection, this isn’t always the case.

The takeaway

Spam and phishing emails are increasing in frequency and complexity as scammers become savvier. Unfortunately, a contributing factor in this increase is the fact that these scams successfully fool a lot of people; users that open links and attachments they should have avoided are a major vector for the spread of malware. Similarly, unsuspecting users can be led to bogus versions of real sites and voluntarily give up their personal and account info.

Some file extensions are more suspect than others, but all attached files should be treated as suspect unless you have reasonable assurances of their legitimacy.

For the sake of repetition: never click a link provided in an email message if you aren’t sure of the authenticity of the message and/or its sender. Contact the company using a known-good phone number or email address.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Misconceptions: Antivirus Software

By Chris Williams

The antivirus dichotomy

Is antivirus (AV) software a necessity, or does it simply offer users a false sense of security? In reality, this is a false dichotomy as both perspectives on this topic are somewhat true. While AV software protects inexperienced users from a variety of common threats, it doesn’t protect high-profile users (managers, executives, etc.) from advanced threats; in the latter case, training these users to avoid high-risk behavior is vital. Safe Internet browsing practices, awareness of common social engineering tactics, and use of physical access controls within the environment are all important to reduce malware exposure. If systems never come in direct contact with malicious code, then the chances of infection drop accordingly.

Does this mean that end users with little to no security training should go without antimalware protection of any sort? Absolutely not. However, it is critical to understand that in IT security, defensive technology is perpetually catching up to offense. If you’re a high-profile enough target for a malicious attacker to expend one of their most valuable commodities (E.G. a zero day exploit) to crack, then just know that by definition your AV software is not going to prevent the resulting damage—if it detects the attack at all. In other words, additional defense mechanisms are required to compensate for the limitations posed by antivirus programs.


Defense-in-depth is the methodology which IT security practitioners rely upon to secure complex systems from a wide variety of threats; the basic premise is to employ multiple overlapping security measures to protect each asset.

The term “layering” is often used to describe defense-in-depth. For each access point that exists within a system, there must exist at least one defense mechanism, or layer. Each successive layer adds to the security of the system, since an attack which breaches the first layer should hypothetically fail to breach the second layer. (Otherwise, why is the second layer even there?) If multiple security measures are vulnerable to the same exploit, it defeats the purpose; that would be like having an outside security door, an inside security door, and the door to the most securely guarded portion of the building all keyed to the same key. If a malicious person obtains that key, then all of the security mechanisms are defeated simultaneously.

What does this have to do with antivirus software? Simply this: AV programs have known shortcomings that can, and must, be anticipated in order to maintain a secure environment. And while the protection offered by these software platforms does almost unarguably outweigh the negatives, there is no antivirus on the market which can be considered “perfect”. Lastly, even if a perfect AV package were developed (hypothetically), malware is only one threat vector; there are dozens of other means that malicious attackers use which would be virtually unhindered.

The takeaway

Even with all of the above caveats in mind, it is essential in today’s reality to run antivirus software on endpoints such as user workstations and public-facing servers. The following points may provide some additional guidance:

  • Administrators and security professionals should research and learn about all of the AV software on the market and select one which suits their needs. The most popular platforms aren’t necessarily the best, nor are the most expensive options inherently better than others.
  • A second-opinion software option should be kept on stand-by just in case; due to differences in definitions and analysis methods, it is often necessary to scan using multiple different vendors.
  • Become familiar with services such as VirusTotal ( which can, for no charge, examine suspicious files and URLs in a sandbox environment.
  • Not all malware are viruses, and it is often necessary to use specialized tools to detect or remove threats such as spyware/adware.
  • One cannot stress this enough: AV software is simply one piece of the larger puzzle, rather than a one-and-done solution to all network security ailments.

Copyright © 2017 ParadoxPrime IA, All rights reserved

Recognizing Computer Threats – Malware

By Chris Williams

Why is my PC running so slowly?

Could it be malware? Some non-malicious events can certainly make your Windows computer run slowly. Such causes range from operating system updates downloading from Microsoft at inopportune times, unnecessary processes/services running in the background, disk fragmentation, or it could just be overdue for a restart (this fixes more ailments than you might think!).

However, if you’re fairly certain it isn’t any of these issues, or if you’re just more paranoid than most, the next several paragraphs detail some things to look at which you can easily access via the Resource Monitor. Keep in mind, that the more you understand about the computer’s performance under normal conditions, the more likely you’ll be able to spot malicious activity taking place. For example, many Windows users have a fairly good idea of how much storage space is left on their computers; this is certainly useful information to have for normal day-to-day operations of the machine. Same holds true when it comes to monitoring how much memory, CPU time, or bandwidth is being utilized.

Consistently High CPU Usage

Malware tends to consume a significant amount of CPU time, so if your CPU Usage meter is consistently pegged at close to 100% it could be an indication of malware infection. Looking at the CPU Usage History can help differentiate if it’s just a short-term spike as opposed to something that’s been going for a longer time frame. We recommend scanning for malware, in particular if your CPU time doesn’t fall to a normal level after a period of relative inactivity.

Memory (RAM) Allocation

Malicious software can run processes in the background that require noticeable amounts of memory, as well as spawning related services that you may not recognize. One approach is to (with as few open applications as possible) make note of any processes or services you are suspicious of, and simply Google them. You will likely find a lot of info regarding Windows system processes as well as services that are related to legitimate applications; in the event that you discover a process that appears to be malicious, it’s important to conduct a thorough malware scan immediately.

Missing Disk Space

Viruses are self-replicating and can, if left unchecked, take up a sizable portion of disk space within a short period of time. This adversely affects the computer’s performance because, as the disk’s capacity approaches its limit, the read/write speed of that drive effectively diminishes. If one day your drive has 200 GB space remaining and the next day that same drive is inexplicably down to 20 GB, the next logical step would be to scan for malware.

Network Utilization

Some malware types—in particular, spyware—can be used to obtain information about you or your computer and then forward it back “home” to a hacker or other malicious user. Whether this information is used for identity theft, or is simply reconnaissance for a future attack, there is still some amount of network activity required for that data to reach its destination. It can be difficult to detect in a home environment but it is still important to know the signs; these include unfamiliar networking services or connections to unknown hosts, and an unusually high level of network activity (in particular when you’re not browsing the internet and have few or no networked devices talking back and forth).

Browser Redirection

After installing a “free” program or file of dubious origin, you may find that your web browser’s home page has been changed, or perhaps there are unusual toolbars you didn’t previously have installed; both cases are cause for concern and should be investigated. Spyware and adware often contain browser hijacking components, create pop-up ads, and cause other inconveniences when surfing the Web. While it is common for legitimate sites to try to bundle you with unwanted programs, there will (should) always be an opt-out, simply requiring you de-select extra software prior to confirming the download and/or installation. Less reputable sites may not give you this option—this is of course a red flag, but it comes too late as you’ll have already exposed your system to the threat.

Crashing or Locking Up

When a PC frequently crashes or freezes, it could mean a few things, imminent hardware failure being among them. While a corrupted hard disk or a bad memory module is definitely urgent, the threat of malware requires greater immediacy in order to ensure your personal privacy and critical data are protected; therefore it is recommended to scan the system for intrusion upon recovery from a crash. (Provided that the system is stable enough to do so.)

Addressing the threat of Malware

To supplement whatever your preferred antivirus/anti-malware is capable of detecting (which isn’t everything), it is recommended to run more than one antivirus application on a regular basis; by conducting in-depth scans using multiple different detection engines you can have some certainty that your computer is safe. Additionally, some varieties of malware (spyware, frequently) simply necessitate having specialized tools available to combat them. Lastly, since many advanced malware programs can obfuscate themselves, detection methods also need to take that into consideration; one such example is Avast’s “boot-time scan” feature, which scans the computer prior to booting up the operating system—thus negating the malware’s ability to hide itself within the file system.
A long list of recommendations is sure to follow in a future post. But for now, here are some answers to the specific threats mentioned in this article:
Avast (antivirus)
Malwarebytes (antivirus)
Webroot (antivirus)
Hitman Pro (“second opinion” antivirus)
Spybot Search and Destroy (anti-spyware)
TDSSKiller (rootkit remover)

Understanding and avoiding future threats

Detection, prevention, and remediation are critical to keeping your computer safe from malware; but, an even better approach is to avoid infection in the first place. Certain “high risk” activities amplify your chances for exposure almost exponentially. This includes P2P sharing, visiting adult websites, and downloading software through unscrupulous repositories. Less reputable repository sites tack on additional programs, usually spyware or adware, without your explicit permission. (You can get frequently around this by paying attention during the installation process, and deselecting any add-ons).

Phishing and questionable links/files

Another major threat comes via email. While phishing emails certainly aren’t new, the sheer volume and complexity of these messages is increasing dramatically. The average user will most likely be fooled at some point and click on something they shouldn’t have. This frequently comes in the form of a malicious link that delivers its payload via cross-site scripting. Another method which is less common nowadays due to spam filtering techniques is to send a specially crafted file which spoofs a .pdf, .zip, or other type of benign file extension, but actually contains a malware package which installs itself once executed by the user. Whatever the mechanism, the goal is to compromise the victim’s system by infecting it with malware.

One last thing to be very conscious of is that attackers can spoof addresses from your contact list in order to make the phishing message seem more trustworthy; for all of these reasons, here are some good practices to follow:
• Assume that all unsolicited file attachments are phishing attempts and delete them, regardless of type.
• Verify the legitimacy of suspicious links you receive from known contacts before clicking on them. Same holds true with URLs sent to you via messaging apps and SMS/MMS.
• If the subject line doesn’t match the body, or if there is no message body, consider it suspicious.
• Check the email header information to verify that the “from” address matches the actual sender’s email address. This can be difficult with advertisement emails as they often use aliases.
• When in doubt, delete the message.
• Use free services such as to analyze even “safe” URLs, for additional reassurance.

The Takeaway

PCs tend to slow down and generally perform less optimally over time. However, excessive slowness can be a sign of malware or other malicious activity affecting your system. Any single anti-malware solution is insufficient to address all of the various threats on the landscape; instead of relying on just one favorite become accustomed to using multiple virus detection engines to minimize risks. Safe browsing practices and an understanding of phishing campaigns are two of the keys to staying relatively safe online.


Copyright © 2016 ParadoxPrime IA, All rights reserved