I have encountered two malware situations regarding software that my students are using. I might have called these viruses but it is most likely due to being tricked into downloading and running a program without knowing the harm it will do. I also want to point out an anti-virus program that should never be used.
Let’s begin with an unusual target, the Apple Macintosh. A student working on a exercise that required searching with Google could not get the expected results. When they shared their screen I noticed that in Safari and in Chrome that when a search string was entered into the address bar the string was rewritten with a prefix that read “search baron” and the search engine used was Bing and not Google. In both browsers the default search engine was Google. Search Baron is a recognized piece of malware that redirects all searches to Bing so that its authors can receive payments from Microsoft. True, Microsoft will pay you to use Bing. For this student the workaround was to go to google.ca and enter the search string in the search field on the page and not the address bar. If you see Search Baron on your Mac you must remove it. You will have to research how to do this on a Mac.
Next up is a Windows problem. Two of the 39 students I have in a course downloaded a zip file of a web server. These two students were unable to run the server and the error messages implied that files were missing. When working with one student we noticed that when we unzipped the file after downloading it, Windows Security briefly displayed a message declaring that it found a trojan script. The warning was quite brief and when we looked at Windows Security it showed no current threats. When we looked at the threat history we found the problem. When the file was being unzipped Windows Security spotted a problem it named trojan:script/Foretype.a!ml. As far as we could tell, in cleaning out this threat it also blocked certain files from being unzipped.
A scan of the student’s computer with Windows Security revealed nothing. The student then downloaded and ran the MalwareBytes scanner and it uncovered an issue with a Chrome plugin. The student deleted the plugin. The student then switched to FireFox to download the zip file and it unzipped successfully and the server ran without incident. I have asked the student to use Chrome again, now that the extension is supposed to be gone, to verify that this extension was the problem. I will update this post once I hear from the student.
I will finish this post with a warning about one of the free anti-virus scanners. This scanner is frequently attached to freeware and requires that you opt out, something too many users miss, otherwise it is installed. Last semester I needed to ban this anti virus program because it blocked the Java keystore so that SSH keys, in our case for Gmail, could not be found. The program is called Avast. Please warn students and developers against ever using this anti-virus scanner.
Two students expressed the Windows trojan issue. Student number one is discussed in the blog. Student number two ran MalwareBytes but they were told that the trojan script was hiding in their installation of FileZilla, a widely used SSH client. The script was cleaned out by MalwareBytes and a fresh download of the software, downloaded with the existing installation of Chrome, unzipped without any issues and the software functioned properly. Conclusion, the source of the trojan script may be widespread but where it came from remains unknown.