Share This

Wednesday, August 30, 2023

When malware strikes


Knowing what to do can be the difference between a costly trip to the repair shop and a diy fix at home.

MANY of us have been there before – an accidental click or file download that leaves us worrying about whether our passwords have been stolen or our webcam has been compromised.

Or maybe it’s the system becoming slow, erratic, freezing, or crashing, which may hint that something strange is going on with your machine.

But hiring a professional can be an expensive affair, and lugging around an entire desktop computer for troubleshooting is anything but fun, so it’s best to check if you can fix the issue yourself.

Those on Windows 7 or 8 should take note that their operating system (OS) is in end-of-life status, making it especially vulnerable to malware as it no longer receives security updates.

Antivirus 101

One thing to keep in mind is that no antivirus or anti-malware tool is perfect, as one may detect a virus while another misses it completely.

Like seeing a doctor, it’s valuable to have a second opinion in the form of another software scanner. Good options include Malwarebytes, Avast Antivirus, and antivirus programs from Kaspersky.

However, the first thing you’ll want to do is download Rkill (bit.ly/rkill), a handy tool from Bleeping Computer that kills malware still resident in memory and running in the background, also known as “processes”. It will also list them in a text file.

This is vital, as active malware can attempt to trick and hide from antivirus programs.

Then do an antivirus scan – don’t use more than one at the same time, as simultaneous scans can result in the antivirus programs mistaking each other for malware.

If the scans turn up positive, potentially malicious items will be listed, and the antivirus will prompt you on what action to take, such as to quarantine or remove the affected file or folder.

It’s best practice to look up the name listed by the antivirus, as it could be a false positive.

Then switch over to the alternative antivirus tool and run another scan to cover blind spots.

If the antivirus discovered an issue and fixed it, then all is well; otherwise, you will have to get your hands dirty by engaging in a little “digital forensics”.

‘Suite up’, digital detective

Your digital forensics work will require a toolkit to analyse and understand your computer better, especially what’s causing the issue.

Our recommendation is the Sysinternals Suite (bit.ly/sysinternalssuite), a set of utilities from Microsoft that provides a detailed view of what each and every program and process is doing.

Like Rkill, Sysinternals is meant to do the same, except that you will be the one identifying, disabling, and removing the malware manually.

One of the most useful tools it contains is the Process Explorer (procexp64.exe in the Suite folder), which lists all the active processes in a system, one of which could be malware.

In Process Explorer, click on the options tab and enable the options for both “Verify Image Signatures” and “Check Virustotal.com”.

Things to look for here are processes without descriptions or verified image signatures from a third-party vendor to indicate it’s a legitimate program.

The description and signature columns may turn up blank for some Windows processes, so ignore those and focus on the ones labelled “unverified”.

Virustotal.com is a website that collates information from 75 different malware-scanning engines because, you know, who needs a second opinion when you can get 75?

If a process is legitimate, then it should have a proper description, a verified image signature from a third-party vendor (like Microsoft or Adobe), and not be flagged by any of the antivirus engines (0/75).

A side note: users looking to check if a specific file is malware can also upload it directly to Virustotal.com, though the size is limited to 650MB.

Make sure to look up each process to find out more about it before taking action, as there are many different types of malware out there, with some being more difficult to remove. There’s a shortcut to searching online included in the right-click menu to help with this. Process Explorer can also be used to uncover processes that are utilising the resources of your graphic card, RAM, and storage.

For a more granular view of what a process is doing, the Process Monitor (Procmon64.exe) tool includes details like where a process is writing a file and whether it’s making a network connection to upload something.

Do note that it is still not immune to false positives. Two of my legitimate processes are always flagged by Virustotal: Apagent.exe (for an Apple Airport Router that was repurposed as network attached storage) and Gaming services. exe (an official process from Microsoft for its video game platform and store).

When a malicious process is discovered, right-click and view its properties, which will reveal details like how it is being launched and where the file is being stored.

Like with Rkill, you will need to kill the malicious process, though some malware types run multiple processes at once so that they can restart each other as you kill them.

In this case, it’s best to “suspend” the target processes first before terminating them.

Then move on to the Autoruns (Autoruns64.exe) tool to disable it from starting up automatically when the machine turns on.

Avoid deleting the entry right away since it could be a misidentified process; instead, disable it first to confirm it is indeed malware.

Once sure, navigate to the folder hous usually ing the malware – these are “user folders” like Temp or Appdata, as administrative rights are not required for malware to access them – and delete the source file to end your woes.

Though, for more complex malware, manual removal may be difficult or downright impossisure ble, so make to check what is involved.

In the worst scenario, case there’s always the nuclear option of doing a clean install of Windows, but this will wipe out your entire system.

Source link

Related post:

DIGITAL WAVE of deception

DIGITAL WAVE of deception


No comments: