Computer Security Series, Part 2
(Read Part 1)
Signs You are Infected with Malware
By Robert Spotswood with contributions by Modem Bob
You have a problem
Computers being infected and accounts being broken into are a fact of life in today's world. Avoiding this fact is difficult even for the experts. The odds are, sooner or later, it's going to happen to you, and probably more than once. One mistake is all it takes. Recognizing you have a problem is the first step to limiting the damage the criminals will do to you and everyone else.
But how do you know you have problem? The answer is, “It depends.” There are two types of infections, overt and covert. The signs are different for each type, although there is some overlap.
It's also possible to have both kinds of infections at the same time, but rare. The covert criminal gangs don't like the overt ones because they attract attention to the infection. This, in turn, has a tendency to get the computer cleaned by professionals and semi-professionals, often removing the covert infections along with the overt ones.
The Overt Signs
As the name implies, overt infections are pretty easy to recognize. You'll get pop-up windows with ominous warning signs about how your computer is infected with lots of malware. Malware is a general term for any malicious software, sometimes called viruses, trojans, rootkits, spyware, and/or adware. The window will look like a name brand antivirus window and will have a similar name.
Sometimes you'll get additional pop-up warnings that an address on the Internet is currently stealing your personal data. In every case, it will offer to clean your computer, but when you tell it to do so, it wants you to buy the full version to do cleaning. This is sign alone is enough to tell you you're infected. You need look no further.
Giving the software a credit card number or your bank information is a very bad idea, because it's not called “scam”-ware for nothing. Some scamware will do more than just try to trick you out of your credit card or bank info. But these tricks are also found in the covert infections.
The Covert Signs
Unfortunately, not all malware infections are so easy to recognize as the overt ones. Many criminals try to stay under the radar, and are quite good at it. No one sign is proof you are infected, and some signs are more valuable at identifying an infection than others. To help gauge your likelihood of being infected, I've included a score by each sign if you can't find a non-malware reason for the sign. If the total adds up to 6 or more points, you can safely assume you are infected. The closer your score is to 6, the more likely you are infected.
This list is not every possible sign, and many of the signs can have non-malware related causes. A quick Internet search will turn up many more. But these “many more” signs are a minefield of false positives, and are therefore not included. They are just too unreliable. Finally, the best malware is very hard to notice, even for experts.
New toolbar (1 pt)
All of a sudden your web browser(s) is sporting a new toolbar. Many toolbars have a bounty for each install, so this is a way for the criminals to make some extra cash.
Unfortunately, lots of legitimate software also bundles toolbars with their install programs to help earn the authors money, and some make it easy to miss, intentionally, that you are installing a toolbar along with the program.
Random Pop-ups (2 pt)
Surfing the Internet used to be fun, but all of a sudden, you're getting strange pop-ups almost constantly, and you didn't click on anything. Sometimes this is a sign of an infection, or it could be someone turned off your pop-up blocker. Occasional pop-ups, especially in response to your clicking on something are normal.
Searches Redirected (2 pts)
You try to visit your favorite search engine, and you wind up somewhere else. Or you notice your default search engine has changed. There are many explanations for this that have nothing to do with malware, but some malware does this too.
Visiting Strange Websites (3 pts)
You are viewing some site, and all of a sudden, your browser opens a new site in the same window or tab. You didn't click on anything. Some sites will automatically redirect you. That capability is built in to the web (really HTML). However, most legitimate sites will either do it instantly and you'll never see the change, or the page will let you know you'll be redirected in a few seconds.
In either case, the page should at least resemble the one you were trying to see. If it doesn't, and especially if it's filled with ads and no content, seems to be just a placeholder page, or rarely, an account suspended page, it's likely malware did it.
Can't reach security sites (5 pts)
Malware that plays with your web browser, and not all malware does that, will very often stop you from going to anti-malware pages. These include most major antivirus vendors and sites like virustotal.com. If in doubt, try going to Norton (http://www.symantec.com/index.jsp), McAfee (http://www.mcafee.com), or AVG's (http://free.avg.com) websites, either directly or via a search engine. If you can't get there, but can get to other sites, the odds are very high you're infected.
Proxy Settings are removed or changed (2 pt)
Having analyzed more than a few malware samples, I've found it's common to see them remove (95%) or change (about 5%) any proxy server settings you have. However, if you aren't using a proxy server in the first place, you'll never see the removal, so this sign is only useful for those using a proxy server. If you aren't using a proxy server and all of a sudden have one, that is suspicious too.
Microsoft Update doesn't work (3 pts)
When malware infects your computer, some will disable Microsoft update (newer version) or Windows update (older version) to prevent you from getting patches that could remove the malware. This also leaves you open to other malware infections as well.
However, there are a number of non-malware related reason Microsoft update will not work. For instance, if the computer's clock is off by enough, it won't update. Some bank sites will also not load if your clock is off by enough.
If the update service is turned off, it won't work. There are many other possible problems. Changing from Microsoft update to Windows update and back again (a topic for another time) can fix some problems.
Regardless of whether the cause is malware or not, this is a big problem you need to get fixed!
Antivirus software stops working (4 pts)
As I've mentioned in previous articles, antivirus software is a necessary evil in today's world, but it is not perfect. It shouldn't be your only defense, but it is an important one. If it suddenly stops working, won't update, or refuses to start, this might be because malware has gotten past your antivirus software.
There are other explanations though. If you're using a non-free version the software, it could be that your subscription has expired. However, just going into the program's interface should tell you if it's expired. The vendors want you to renew, and can be quite pushy about letting you know it's time, so this is fairly easy to check.
Regardless of whether the reason is malware related or not, this is something you need to get fixed!
Some of the more advanced malware can hide from antivirus software without disabling it. So don't think just because it's running and says you're clean that you can't possibly be infected. You can still be infected.
EXE programs stop working (5 pts)
In an effort to avoid detection and cleaning, some malware will change a registry entry to make sure ALL exe programs are run through it first. Any program it doesn't like will not be run. But in multiple cases I've seen, the malware messes up and prevents even innocent programs from running.
Keep in mind, I'm not talking about a single program that has stopped working. There are way too many, non-malware related reasons this could happen. But if the problem is multiple programs, that's a sign something is seriously wrong.
A quick test is regedit.exe. This often gets disabled. Click on Start → Run, then type regedit.exe in the box. Windows 7 and Vista users don't need the run. If this fails to start, be worried.
If it does start, just close it without doing anything. Messing with regedit can render a Windows computer unusable very easily if you don't know what you're doing. In some business environments, access to regedit is restricted. This is not malware, but a policy decision.
Task manager is another favorite to be disabled if you want to test a second program.
Random File names in MSConfig or TaskManager (4 pts)
Malware that autostarts will often use randomly generated file names in an effort to avoid detection by any antivirus software running on the computer. But to a human, the names look like gibberish, rather than abbreviations or names. If in doubt, try searching for the name in your favorite search engine. Non-malware names are easy to find some results for.
Click Start → Run, type "services.msc" in the box, and press Enter. You'll see detailed descriptions of the services Windows is running. Something look weird? Check with your search engine.
Finally, you can do more detective work by selecting Start → Run, and typing "msconfig" in the box. With this tool you not only see the services running, but also the programs that your system is launching at startup. Again, check for anything weird.
Do be cautioned that not all autostart programs will be listed. For instance, any program can use the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to set itself to autorun and it won't show up in msconfig. There are several others.
Over email quota (1 pt), Email bounces (1 pt), Accounts suspended (1 pts)
One thing some malware will do when it infects a computer is to steal any usernames and passwords it can. This includes your email account. This info is then sold to spammers to use to send spam. And once they start sending spam from your account, they send lots of it. All they can.
This can easily, and quickly, put you over the quota limit for sending. Most providers have limits on how many emails you can send per day. This is to control the damage the spammers can do with a stolen account.
Similarly, the spammers don't care about bad addresses, and since they are using your account, you'll likely get lots email messages about failed delivery from emails you don't remember sending. That's because you didn't send them.
Finally, legitimate email providers, in order to protect their reputation, and ensure that every one else using their system can still send email, will suspend accounts and ask questions later. Spammers are incredibly fast in sending, and the flood gates must be closed as soon as possible. If the provider waits until they have proof or they contact you first, a lot of damage will occur.
There are other ways besides malware that can explain how your username and password got stolen. It could be you answered a phishing email. It could be you used your email password as the password for an account when you registered at some website site, which almost always asks for an email address too, and that site was broken into, or was malicious in the first place. Finally, it could be your password was the same as your username (the part of your email address before the @). For example, if my email address was email@example.com, the worst password I could have, besides none, would be roberts.
Windows Firewall is off (4 pts)
Some malware will turn Windows firewall off as it installs itself. This makes it easier for the malware to use your computer.
Sometimes, though, Windows firewall is off for a good reason. Most likely, it is because you have other firewall software installed. Norton, Comodo, and Zonealarm all make firewall software that effectively replaces Windows firewall. You really don't want to run two firewalls at the same time, so this behavior is actually a good thing.
The other, non-malware related reason I've seen is someone manually turned it off. This could have been to test something and they forgot to turn it back on, or they didn't know how to configure it to allow some program to work through it, and just turned it off as a quick and easy fix.
Can't Boot in Safe Mode (3 pts)
For Windows users, if you press the F8 repeatedly just as Windows is starting, you can get to a menu which allows you to boot in safe mode. The time window to press the F8 key is very small and easy to miss, and usually you want to start repeatedly pressing F8 just after the non-Windows splash screen that comes up when you start your computer, also known as the POST screen. Unfortunately, some BIOS's will use the F8 key to access some function of theirs such as a boot menu, which makes getting to the safe mode menu even harder.
The Ramnit family of malware, upon infecting a machine, removes the registry entries needed to boot into safe mode. You'll probably get a BSOD (Blue Screen of Death) if you try. This is done to make the malware harder to remove. Other malware may do this as well.
Control Panel Takes Forever to Open (1 pts)
Sometimes an infected computer will take quite a long time to open Control Panel. If it takes longer than 60 seconds to open and start loading the icons, something is going on. The most common non-malware reason I've seen is an anti-virus scan is going on in the background. Other reasons are something putting the hard drive under heavy load, or it's a slow, or failing harddrive.
A quick search of the Internet will find other signs you can look for. But, as mentioned earlier, these aren't included because they are too unreliable.
- CD-ROM drive trays opening and closing by themselves.
- Programs launch on their own.
- Computer is freezing or locking up constantly.
- Files and folders seem to disappear or will not open. This is more often an indicator you have hard drive problems than malware.
- Computer is slower than usual.
- The Internet is slow.
- Lots of hard drive activity.
- Unexpected messages popping up.
- There isn't as much free space as you think you should have on your hard drive.
Without running a proper malware scan of a system, it's difficult to be sure you have an covert infection. But there are clues that can you look for. Don't ignore them.