Author Archives: Admin

Remediating Infected Systems

Published by:

Remediating Infected Systems

When a malware protection program detects that a computer is infected, it removes or quarantines the threat. However, the computer is most likely still at risk.

Remediating Infected Systems

When malware is discovered on a home computer, you should update your anti-malware software and perform full scans of all your media. Many anti-malware programs can be set to run on system start before loading Windows. This allows the program to access all areas of the disk without being affected by the operating system or any malware.

When malware is discovered on a business computer, you should remove the computer from the network to prevent other computers from becoming infected. Unplug all network cables from the computer and disable all wireless connections. Next, follow the incident response policy that is in place. This may include notifying IT personnel, saving log files to removable media, or turning off the computer.

Removing malware may require that the computer be rebooted into Safe Mode. This prevents most drivers from loading. Some malware may require that a special tool from the anti-malware vendor be used. Be sure that you download these tools from a legitimate site.

For really stubborn malware, it may be necessary to contact a specialist to ensure that the computer has been completely cleaned. Otherwise, the computer may need to be reformatted, the operating system reinstalled, and recover your data from the most recent backups.

The OS system restore service may include infected files in a restore point. Therefore, once a computer has been cleaned of any malware, the system restore files should be deleted, as shown in the figure.

After remediation, you may need to fix some issues caused by viruses, it may be necessary to boot the computer using the Windows product disk and then use the Windows Recovery Console, which replaces the recovery console from Windows 2000, to run commands from a “clean” command environment. The Recovery Console can perform functions such as repairing the boot file and writing a new master boot record or volume boot record.

The image shows the System Protection for System (C:) window, which can be used to configure restore settings, manage disk space and delete restore points. It is located the control panel system utility program by clicking the Configure button in the System Protection tab.

Anti-Malware Programs

Published by:

Anti-Malware Programs

Malware is designed to invade privacy, steal information, damage the operating system, or allow hackers to take control of a computer. It is important that you protect computers and mobile devices using reputable antivirus software.

Anti-Malware Programs

This is the seven-step best practice procedure for malware-removal:

1. Identify and research malware symptoms

2. Quarantine the infected systems

3. Disable System Restore (in Windows)

4. Remediate infected systems

5. Schedule scans and run updates

6. Enable System Restore and create restore points (in Windows)

7. Educate the end user

Today, antivirus programs are commonly referred to as anti-malware programs because many of them can also detect and block Trojans, rootkits, ransomware, spyware, keyloggers, and adware programs, as shown in Figure 1.

Anti-malware programs are the best line of defense against malware because they continuously look for known patterns against a database of known malware signatures. They can also use heuristic malware identification techniques which can detect specific behavior associated with some types of malware.

Anti-malware programs are started when a computer boots checking the system resources, drives, and memory for malware. It then runs continuously in the background scanning for malware signatures. When a virus is detected, the anti-malware software displays a warning similar as shown in the figure. It may automatically quarantine or delete the malware depending on software settings.

Anti-malware programs are available for Windows, Linux, and macOS by many reputable security organizations such as McAfee, Symantec (Norton), Kaspersky, Trend Micro, Bitdefender and more.

Note: Using two or more anti-malware solutions simultaneously can negatively impact computer performance.

The most common method of malware delivery is through email. Email filters are a line of defense against email threats, such as spam, viruses, and other malware, by filtering email messages before they reach the user’s inbox. File attachments can also be scanned before they are opened.

Email filtering is available on most email applications or it can be installed at the organization’s email gateway. In addition to detecting and filtering out spam messages, email filters also allow the user to create blacklists of known spammer domains and to whitelist known trusted or safe domains.

Malware can also be delivered through applications that are installed. Installation of software from untrusted sources can lead to the spread of malware such as Trojans. To mitigate this risk vendors implement various methods to restrict the ability of users to install untrusted software. Windows uses the system of Administrator and Standard user accounts along with User Account Control.(UAC) and system policies to help prevent installation of untrusted software.

Be cautious of malicious rogue antivirus products that may appear while browsing the Internet. Most of these rogue antivirus products display an ad or pop-up that looks like an actual Windows warning window, as shown in Figure 2. They usually state that the computer is infected and must be cleaned. Clicking anywhere inside the window may begin the download and installation of the malware.

When faced with a warning window that is suspect, never click inside the warning window. Close the tab or the browser to see if the warning window goes away. If the tab or browser does not close, press ALT+F4 to close the window or use the task manager to end the program. If the warning window does not go away, scan the computer using a known, good antivirus or adware protection program to ensure that the computer is not infected.

Click here to read a blog about rogue antivirus malware.

In Linux, users are prompted if they attempt to install untrusted software. The software is signed with a cryptographic private key and requires the public key for the repository to install the software. 4

Mobile OS vendors use the walled garden model to prevent installation of untrusted software. Under this model, apps are distributed from an approved store, such as the App Store for Apple or the Windows Store for Microsoft.

There are 2 figures on the page. Figure 1: The image shows the Microsoft Security Essentials program window with a completed scan of a PC and the potential threat details window showing a detected item classified as HackerTool:Win32/Keygen. Figure 2: the image shows what appears as a Windows Security Alert but is actually a rogue antivirus program trojan horse.

Malware

Published by:

Malware

There are many types of threats created to disrupt computers and networks. The greatest and most common threat for computers and the data contained on them is malware.

Sources of Malware

Malware is software developed by cybercriminals to perform malicious acts. In fact, the word malware is an abbreviation of malicious software.

Malware is typically installed on a computer without user knowledge. Once a host is infected, the malware could:

  • Change the computer configuration.
  • Delete files or corrupt hard drives.
  • Collect information stored on the computer without the user’s consent.
  • Open extra windows on the computer or redirect the browser.

How does malware get on your computer? Cybercriminals use a variety of methods such as those listed in the figure to infect hosts.

Depending on their goals, cybercriminals will use different types of malware. The choice of malware depends on the target and what they are after.

Non-compliant and legacy systems are especially vulnerable to software exploitations. A non-compliant system is one which has not been updated with operating system or application patches or missing antivirus and firewall security software. Legacy systems are those which the vendor no longer provides support or fixes for vulnerabilities.

This image is a text list of 9 sources of malware: user visiting infected website, user has outdated antivirus software, web browser not patched for new vulnerability, downloading a “free” program, opening unsolicited email, exchanging files on file sharing sites, computer infected by another infected host, opening attachments sent in instant messenger, social media, etc., insert a USB stick that you found in a public area

Viruses and Trojan Horses

The first and most common type of computer malware is a virus. Viruses require human action to propagate and infect other computers. For example, a virus can infect a computer when a victim opens an email attachment, opens a file on a USB drive, or downloads a file.

The virus hides by attaching itself to computer code, software, or documents on the computer. When opened, the virus executes and infects the computer. Figure 1 lists examples of what can happen once a virus has infected a host. Modern viruses are developed for specific nefarious intent such as those listed in Figure 2.

Cybercriminals also use Trojan horses to compromise hosts. A Trojan horse is a program that looks useful but also carries malicious code. Trojan horses are often provided with free online programs such as computer games. Unsuspecting users download and install the game, installing the Trojan malware.

There are several types of Trojan horses as described in Figure 3.

Viruses and Trojan horses are only two types of malware that cybercriminals use. There are many other types of malware that have been designed for specific purposes.

To fix some issues caused by viruses, it may be necessary to boot the computer using the Windows product disk and then use the Windows Recovery Console, which replaces the recovery console from Windows 2000, to run commands from a “clean” command environment. The Recovery Console is able to perform functions such as repairing the boot file and writing a new master boot record or volume boot record.

There are 3 figures on the page. Figure 1: Is a list about viruses. Viruses can: alter, corrupt, delete files, or erase entire computer drives, cause computer booting issues, corrupt applications, capture and send sensitive information to attackers, access and use email accounts to spread, and lay dormant until summoned by the attacker. Figure 2: Is a table with two columns. First column for the Type of Virus, second column for its Description. Row 1. Boot sector virus description, virus attacks the boot sector, file partition table, or file system. Row 2. Firmware viruses description, virus attacks the device firmware. Row 3. Macro virus description, virus uses the MS Office macro feature maliciously. Row 4. Program viruses description, virus inserts itself in another executable program. Row 5. Script viruses description, virus attacks the OS interpreter which is used to execute scripts. Figure 3: Is a table with two columns. First column for the Type of Trojan Horse, second column for its Description. Row 1. Remote-access description, trojan enables unauthorized remote access. Row 2. Data-sending description, trojan provides the attacker with sensitive data, such as passwords. Row 3. Destructive description, Trojan corrupts or deletes files. Row 4. Proxy description, trojan will use the victim’s computer as the source device to launch attacks and perform other illegal activities. Row 5. FTP description, trojan enables unauthorized file transfer services on end devices. Row 6. Security software disabler description, trojan stops antivirus programs or firewalls from functioning. Row 7. Denial of Service (DoS) description, trojan slows or halts network activity. Row 8. Keylogger description, trojan actively attempts to steal confidential information, such as credit card numbers, by recording keystrokes entered into a web form.