I came this close (imagine me with my thumb and index finger about an eighth-inch apart) to doing something colossally dumb earlier this week. It's something that I should have known better than to even contemplate, and fortunately, I hesitated before I clicked that mouse button. Unfortunately, while I'm a suspicious kinda guy, most users aren't. Almost everyone would have made the mistake I almost made.
The mistake? Voluntarily downloading a known Trojan onto my computer, and then installing it. Here's what happened. Earlier this week I installed an updated version of an antivirus program on the primary workstation in the lab. It ran its full system scan, and it found the Trojan, and sent it off to purgatory, otherwise known as quarantine. Unfortunately, the antivirus program didn't remove the Windows registry entry that told the computer to launch the Trojan on startup.
This failure to remove the registry entry meant that I received an error message on the next restart telling me that the system was unable to load something called 'sshnas.dll.' Like most people I assumed that something had been corrupted, and never thought about the fact that the AV program had just run. So I went to Google and entered the file name so that I could see what application it belonged to.
That's when I discovered that there's a site, apparently created by the malware distributor, that offers to replace missing DLL files. It offered to provide the missing file for free. I was just about to click on the link when I noticed a string of messages also reported by Google from the Hewlett-Packard tech support forums. So I clicked on those instead, found out that sshnas.dll is a Trojan, and didn't do the download. Instead, I manually removed the entry from the registry. The malware is history.
But what's important is that I very nearly infected myself with a very sophisticated Trojan, run by an organization that's smart enough to trick users who have gone to the trouble of keeping their AV program updated and their computers scanned frequently into loading more malware.
The problem for the IT department is that there are a lot of users out there who, thinking they're saving time and trouble for the support staff, will do what I almost did and voluntarily (but unknowingly) bring malware into the enterprise. The problem is, these people aren't really being stupid, nor are they careless, and in fact they're trying to help.
So what do you do? First of all, make sure that your users know that if they receive any kind of error message on their computer, they should call the IT department, even if they think they know what it is. Second, the IT support staff needs to be willing to respond to such problems quickly.
Yes, most of the error messages people get in the course of their work are fairly minor, but there are also times when a message such as the failure to load a Windows component is the only sign you'll have that there's malware afoot. If your users know what to look for, then they'll call you, but they'll only do it if you can react quickly so they can get back to work.
And remember, malware can attack from a wide variety of places, and it can use many vectors. Just because users are behind a firewall doesn't mean they can't bring malware to work on their smartphone, their USB memory stick or their iPod.
And unlike those of us who should know better (me, for example), these people aren't doing anything they see as wrong. In many cases, they're trying to help you. What you need to do is show them how to actually help instead of making things worse.