Americas

  • United States

Asia

Oceania

roger_grimes
Columnist

How the pros sniff out a malware infection

Analysis
Jan 08, 20135 mins
Data and Information SecurityMalwareSecurity

You can't be certain your system is malware-free unless you reformat and reinstall -- and you'll get a superclean PC in the process

In my last column, I talked about making online shopping safer, starting with ensuring your computer isn’t already infected with some devious malware. But I didn’t tell readers how to confirm that their computer wasn’t maliciously compromised from the start.

Let me give it a shot. First, the reality is that without extreme measures (such as comparing every file on your computer to the vendor’s known, legitimate checksum), you can’t have absolute assurance that your computer is malware-free. If you want that, format your computer’s hard drive and reinstall everything from vendor-distributed media and content — then disable the network card and never connect to the Internet.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

Unreasonable advice aside, here’s how to determine with some degree of assurance that your computer is malware-free, even after you’ve surfed the Internet. This column contains the steps I take when I try to verify my own computers (or those of my friends or neighbors) aren’t infected.

Prime suspect: Suspicious autostarting programs The first thing I do is to look for suspicious autostarting programs. Several programs are available to aid in your search, including Silent Runners and HijackThis. I prefer Autoruns, which has an excellent and easy-to-use GUI, allows you to make (and undo) modifications very quickly, and offers a range of choices to verify found executables.

Usually I look for any entries without a verified publisher. Malware sometimes has a verified publisher, but it often doesn’t. Next, I search out executables with extremely random names (for example, xy3Wfi9sh~.exe) located in Windows/System32. Next, I single out executables I don’t recognize or executables related to publishers I don’t recognize. Then I research every last unknown executable and publisher. If I can’t confirm there’s a need for an executable, I prevent it from autostarting and reboot.

Look for unneeded browser add-ons Using the autostart searching tools mentioned in the previous section or the browser’s own management menus, I review installed browser add-ons and remove any I don’t recognize or don’t need.

Target unexplained network connections From there, I close all software that might possibly connect to the Internet, starting with the browser, social network tools, or other memory resident-tools that may connect to the Internet.

Then I start a program that will show me all the active network connections to the Internet and what programs, services, and processes are involved. With Microsoft Windows, you can use the built-in command-line program netstat.exe -ano if you don’t have anything else. I prefer Microsoft’s TCPView, but any tool that does the same thing can be used.

Look for and research any process connecting to the Internet you don’t recognize. This part of the search can take a long time and require more investigation. Usually, you’ll find lots of legitimate programs connecting to the Internet; I seldom disconnect any legitimate program. Who knows what you’ll break? I keep an eye out for strange programs I don’t recognize connecting to suspicious-looking websites. You can often use the autostart programs to remove offending software.

If you find something suspicious with any of these steps, disable it from automatically running. As a last-ditch effort, I’ll boot into Safe Boot mode (F5 or F8) or from another OS copy, then rename the suspicious file so that its autoloading program can’t find it. If the file is needed and legitimate, you can rename it and your system will function normally again.

Run antimalware Last, but not least, try rerunning your antimalware program. Sometimes malware in memory prevents antimalware software from successfully identifying it; when you prevent malware from loading into memory, the antimalware software may do a better job.

I’ve been cleaning PCs like this for over two decades. Normally, I’ll find one or two malware programs and manually remove them from the PC. Then I’ll rerun the antimalware scanner in quick-scan mode, followed by a complete scan. Usually, the antimalware program finds one or two (or 200) hidden malware programs I didn’t pin down. Either way, you should have a significantly cleaner PC.

None of the preceding advice is perfect. Malware is often designed to hide from prying eyes. If you think your computer is still infected after all of the above measures, start fresh: Format and reinstall. Nothing gives peace of mind like knowing for sure that you’re system isn’t infected. Plus, your computer will run faster and have more disk space — three benefits for the price of one suspicion.

To see how to keep your new install clean, read “The 5 cyber attacks you’re most likely to face.” Follow the countermeasures there and you’ll vastly reduce the chance you’ll need to scour your system again anytime soon.

This story, “How the pros sniff out a malware infection,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

roger_grimes
Columnist

Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author