Testout 7.0 14.7 Malware Protection
Ransomware
scans a victim's computer for files and encrypts the files so the user is unable to access them. The user typically must pay a ransom to get the decryption key. There is no guarantee that the hacker will actually send the decryption key once the victim has paid the ransom.
Once you have cleared the device of malware, take steps to prevent future infections. The following steps will help prevent future infections:
-Configure the anti-malware software to automatically update its definition database and run full system scans. -Re-enable System Restore and create a restore point. -Perform a full system backup and save it to an external device. -Educate the end-user on malware prevention.
The first step in the remediation process is to disable Windows System Restore because:
-Many malware programs embed copies of themselves in the System Restore files. -If you attempt to reboot or to perform a system restore, the malware will reinfect the machine. -By disabling System Restore, you remove the malware copy and it won't be able to reinfect the system.
A Trojan horse infection may exhibit the following symptoms:
-Screen settings change by themselves. -Chat boxes appear. -Account passwords are changed. -Legitimate accounts are accessed without authorization. -Unknown purchase statements appear on credit card bills. Ctrl+Alt+Del stops working. If a computer begins exhibiting abnormal symptoms with no identifiable cause, checked for a Trojan horse infection.
A boot sector virus replicates every time the computer reboots. This makes it difficult to remove. You can remove it using the:
-Windows Recovery Console to recreate the Master Boot Record. -If this does not work, you might have to reinstall Windows.
Virus
A type of malware that is self-replicating. It is designed to replicate itself throughout the computer and modify existing programs. Damaging the computer system is often the goal. It must attach itself to a legitimate program to run.
If your computer is infected, may need to remove the hard drive and transfer it to a sheep dip computer for analysis. A sheep dip computer:
Is isolated from the network. Has port monitors, file monitors, and anti-malware software installed. Analyzes malware infections and clears the infection.
Preventing a malware infection should be a priority for all organizations. Educating users on malware prevention is one of the most effective steps you can take. Educate users to:
Not click on links inside of an email. Not open an attachment from an unknown source. Go only to known and trusted websites. Know the signs of a phishing attack.
When a malware infection is suspected, investigate the situation and verify that the symptoms are not from other causes. Common malware symptoms include:
Slow running device Files deleted, renamed, or altered Heavy network traffic Inability to access the internet Pop-up ads False anti-virus software
If you confirm a malware infection, immediately quarantine the system to
prevent the malware from spreading through the network. Immediately remove the device from the network; immediately disconnect shared drives and connections with other devices.
A trojan horse
provides the hacker with covert remote access to the victim's system. These programs are hidden inside a legitimate program. When the user runs that program, the Trojan horse runs in the background without the user's knowledge, giving the hacker remote access.
After disabling windows system restore, the next step is to verify that the anti-malware software is up to date; then run a deep malware scan. However, you should not perform the malware scan in
a normal Windows environment. At minimum, boot Windows into Safe Mode to run the scan. You can also use a USB drive to boot the computer into a Windows Pre-Installation environment (WinPE).
You may need to take additional steps after running anti-malware scans. For example, determine if you must manually
repair specific files, registry keys, or settings.
You should ensure that anti-malware software is installed on all devices. This includes
anti-virus software and either a hardware or software firewall.
Windows comes pre-loaded with the anti-malware program Windows Defender already enabled. If a third-party program is installed, Windows Defender
automatically disables itself.
A unique virus is more difficult for antivirus software to detect
but does require programming knowledge.
Spyware
collects and then forwards information regarding the victim's computer activities. While this type of malware is typically not destructive, it is extremely invasive. Spyware not only monitors a user's web browsing activities, but also can gather information on a user's computer usage including applications used.
Rootkit
consists of programs that give the hacker root (administrator) access to the target machine. These programs can also install keyloggers and other malicious software.
A virus making tool allows the hacker to
define what the virus does and how it replicates.
All malware programs have a unique fingerprint called a
definition that anti-malware programs keep a database of. Make sure that the anti-malware program's definition files are up to date so they can detect an infection and remove it.
WinPE
is a lightweight version of Windows that boots from the USB drive. It is typically used to help deploy Windows in an enterprise environment or for troubleshooting Windows issues. Some WinPE images come with anti-malware software already installed.
A keylogger
logs every keystroke the user makes and then sends the keystroke report to the hacker. The hacker can use the log to discover the user's personal information, logins, etc.
Cryptominer
malware that uses the victim computer's resources to mine for cryptocurrency on behalf of the hacker. This causes the computer to run extremely slow, overheat, and possibly physically damage the components.
A boot sector virus
moves the master boot record (MBR) to another location on the hard drive and embeds itself in the original location. When the computer boots, the virus runs first, then passes control to the MBR.