Topic 8C: Troubleshoot Workstation Security Issues
Configure Scheduled Scans:
All security software supports scheduled scans. These scans can impact performance, however, so it is best to run them when the computer is otherwise unused. You also need to configure the security software to perform malware-pattern and antivirus-engine updates regularly.
QUIZ: Why is DNS configuration a step in the malware remediation process?
Compromising domain-name resolution is a very effective means of redirecting users to malicious websites. Following malware infection, it is important to ensure that DNS is being performed by valid servers.
QUIZ: Another user calls to say he is trying to sign-on to his online banking service, but the browser reports that the certificate is invalid. Should the bank update its certificate, or do you suspect another cause?
It would be highly unlikely for a commercial bank to allow its website certificates to run out of date or otherwise be misconfigured. You should strongly suspect redirection by malware or a phishing/pharming scam.
Troubleshoot Browser Symptoms:
Malware often targets the web browser. Common symptoms of infection by spyware or adware are random or frequent pop-ups, installation of additional toolbars, a sudden change of home page or search provider, searches returning results that are different from other computers, slow performance, and excessive crashing. Viruses and Trojans may spawn pop-ups without the user opening the browser.
Troubleshoot Desktop Symptoms:
The multiple classifications for malware vectors and payloads mean that there can be very many different symptoms of security issues. In very general terms, any sort of activity or configuration change that was not initiated by the user is a good reason to suspect malware infection.
QUIZ: Why might you need to use a virus encyclopedia?
You might need to verify symptoms of infection. Also, if a virus cannot be removed automatically, you might want to find a manual removal method. You might also want to identify the consequences of infection—whether the virus might have stolen passwords, and so on.
Configure On access Scanning:
Almost all security software is now configured to scan on-access. On-access means that the A-V software intercepts an OS call to open a file and scans the file before allowing or preventing it from being opened. This reduces performance somewhat but is essential to maintaining effective protection against malware.
OS Reinstallation:
Antivirus software will not necessarily be able to recover data from infected files. Also, if malware gains a persistent foothold on the computer, you might not be able to run antivirus software anyway and would have to perform a complete system restore. This involves reformatting the disk, reinstalling the OS and software (possibly from a system image snapshot backup), and restoring data files from a (clean) backup.
QUIZ: Why might a PC infected with malware display no obvious symptoms?
If the malware is used with the intent to steal information or record behavior, it will not try to make its presence obvious. A rootkit may be very hard to detect even when a rigorous investigation is made.
Disable System Restore:
Once the infected system is isolated, the next step is to disable System Restore and other automated backup systems, such as File History. If you are relying on a backup to recover files infected by malware, you must consider the possibility that the backups are infected too. The safest option is to delete old system restore points and backup copies, but if you need to retain them, try to use antivirus software to determine whether they are infected.
Performance Symptoms:
When the computer is slow or "behaving oddly," one of the things you should suspect is malware infection. Some specific symptoms associated with malware include: -The computer fails to boot or experiences lockups. -Performance at startup or in general is very slow. -The host cannot access the network and/or Internet access or network performance is slow. The problem here is that performance issues could have a wide variety of other causes. If you identify these symptoms, run an antivirus scan. If this is negative but you cannot diagnose another cause, consider quarantining the system or at least putting it under close monitoring.
Educate the End User:
Another essential malware prevention follow-up action is effective user training. Untrained users represent a serious vulnerability because they are susceptible to social engineering and phishing attacks. Appropriate security-awareness training needs to be delivered to employees at all levels, including end users, technical staff, and executives. Some of the general topics that need to be covered include the following: -Password and account-management best practices plus security features of PCs and mobile devices. -Education about common social engineering and malware threats, including phishing, website exploits, and spam plus alerting methods for new threats. -Secure use of software such as browsers and email clients plus appropriate use of Internet access, including social networking sites. -Specific anti-phishing training to identify indicators of spoofed communications, such as unexpected communications, inconsistent sender and reply to addresses, disguised links and attachments, copied text and images, and social engineering techniques, such exaggerated urgency or risk claims. Continuing education programs ensure that the participants do not treat a single training course or certificate as a sort of final accomplishment. Skills and knowledge must be continually updated to cope with changing threat types.
File System Errors and Anomalies:
Another marker for malware infection is changes to system files and/or file permissions. Symptoms of security issues in the file system include the following: -Missing or renamed files. -Additional executable files with names similar to those of authentic system files and utilities, such as scvhost.exe or ta5kmgr.exe. -Altered system files or personal files with date stamps and file sizes that are different from known-good versions. -Files with changed permissions attributes, resulting in "Access Denied" errors. These sorts of issues are less likely to have other causes so you should quarantine the system and investigate it closely.
Best Practices for Malware Removal:
CompTIA has identified a seven-step best practice procedure for malware removal: Most malware is discovered via on-accessing scanning by an antivirus product. If the malware is sophisticated enough to evade automated detection, the symptoms listed above may lead you to suspect infection. Antivirus vendors maintain malware encyclopedias ("bestiaries") with complete information about the type, symptoms, purpose, and removal of viruses, worms, Trojans, and rootkits. These sources can be used to verify the symptoms that you discover on a local system against known malware indicators and behaviors. 1.Investigate and verify malware symptoms. 2.Quarantine infected systems. 3.Disable System Restore in Windows. 4.Remediate infected systems: Update anti malware software and scanning and removal techniques 5. Schedule scans and run updates. 6.Enable System Restore and create a restore point in Windows. 7.Educate the end user.
Infected System Quarantine:
Following the seven-step procedure, if symptoms of a malware infection are detected and verified, the next steps should be to apply a quarantine and disable System Restore.
Quarantine Infected Systems:
If a system is "under suspicion," do not allow users with administrative privileges to sign in—either locally or remotely—until it is quarantined. This reduces the risk that malware could compromise a privileged account. Putting a host in quarantine means that it is not able to communicate on the main network. Malware such as worms propagate over networks. A threat actor might use backdoor malware to attempt to access other systems. This means that one of the first actions should be to disconnect the network link. Move the infected system to a physically or logically secure segment or sandbox. To remediate the system, you might need network access to tools and resources, but you cannot risk infecting the production network. Also consider identifying and scanning any removable media that has been attached to the computer. If the virus was introduced via USB stick, you need to find it and remove it from use. Viruses could also have infected files on any removable media attached to the system while it was infected.
QUIZ: You receive a support call from a user who is "stuck" on a web page. She is trying to use the Back button to return to her search results, but the page just displays again with a pop-up message. Is her computer infected with malware?
If it only occurs on certain sites, it is probably part of the site design. A script running on the site can prevent use of the Back button. It could also be a sign of adware or spyware though, so it would be safest to scan the computer using up-to-date anti-malware software.
Re-enable System Restore and Services:
If you disabled System Restore and automatic backups, you should re-enable them as part of the recommissioning process: -Create a fresh restore point or system image and a clean data backup. -Validate any other security-critical services and settings that might have been compromised by the malware. -Verify DNS configuration—DNS spoofing allows attackers to direct victims away from the legitimate sites they were intending to visit and toward fake sites. As part of preventing reinfection, you should inspect and re-secure the DNS configuration. -Re-enable software firewalls—If malware was able to run with administrative privileges, it may have made changes to the software (host) firewall configuration to facilitate connection with a C&C network. An unauthorized port could potentially facilitate reinfection of the machine. You should inspect the firewall policy to see if there are any unauthorized changes. Consider resetting the policy to the default.
Rootkits:
In Windows, malware can only be manually installed with local administrator privileges. This means the user must be confident enough in the installer package to enter the credentials or accept the User Account Control (UAC) prompt. Additionally, Windows tries to protect the OS files from abuse of administrator privileges. Critical processes run with a higher level of privilege (SYSTEM). Consequently, Trojans installed in the same way as regular software cannot conceal their presence entirely and will show up as a running process or service. Often the process image name is configured to be similar to a genuine executable or library to avoid detection. For example, a Trojan may use the filename "run32d11" to masquerade as "run32dll". To ensure persistence, the Trojan may have to use a registry entry or create itself as a service. All these techniques are relatively easy to detect and remediate. If the malware can be delivered as the payload for an exploit of a severe vulnerability, it may be able to execute without requiring any authorization using SYSTEM privileges. Alternatively, the malware may be able to use an exploit to escalate privileges after installation. Malware running with this level of privilege is referred to as a rootkit . The term derives from UNIX/Linux where any process running as root has unrestricted access to everything from the root of the file system down. In theory, there is nothing about the system that a rootkit could not change. In practice, Windows uses other mechanisms to prevent misuse of kernel processes, such as code signing (microsoft.com/security/blog/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard). Consequently, what a rootkit can do depends largely on adversary capability and level of effort. When dealing with a rootkit, you should be aware that there is the possibility that it can compromise system files and programming interfaces so that local shell processes, such as Explorer or Task Manager on Windows, ps or top on Linux, and port-listening tools ( netstat, for example), no longer reveal their presence (when run from the infected machine, that is). A rootkit may also contain tools for cleaning system logs, further concealing its presence.
Recovery Mode:
Infection by advanced malware might require manual removal steps to disable persistence mechanisms and reconfiguration of the system to its secure baseline. For assistance, check the website and support services for your antivirus software, but in general terms, manual removal and reconfiguration will require the following tools: -Use Task Manager to terminate suspicious processes. -Execute commands at a command prompt terminal, and/or manually remove registry items using regedit. -Use msconfig to perform a safe boot or boot into Safe Mode, hopefully preventing any infected code from running at startup. -Boot the computer using the product disc or recovery media, and use the Windows Preinstallation Environment (WinPE) to run commands from a clean command environment. -Remove the disk from the infected system, and scan it from another system, taking care not to allow cross-infection.
QUIZ: Early in the day, a user called the help desk saying that his computer is running slowly and freezing up. Shortly after this user called, other help desk technicians who overheard your call also received calls from users who report similar symptoms. Is this likely to be a malware infection?
It is certainly possible. Software updates are often applied when a computer is started in the morning, so that is another potential cause, but you should investigate and log a warning so that all support staff are alerted. It is very difficult to categorize malware when the only symptom is performance issues. However, performance issues could be a result of a badly written Trojan, or a Trojan/backdoor application might be using resources maliciously (for DDoS, Bitcoin mining, spam, and so on).
Malware Vectors:
Malware is usually simply defined as software that does something bad, from the perspective of the system owner. The more detailed classification of different malware types helps to identify the likely source and impact of a security incident. Some malware classifications focus on the vector used by the malware. The vector is the method by which the malware executes on a computer and potentially spreads to other network hosts. The following categories describe some types of malware according to vector: -Viruses —These are concealed within the code of an executable process image stored as a file on disk. In Windows, executable code has extensions such as .EXE, .MSI, .DLL, .COM, .SCR, and .JAR. When the program file is executed, the virus code is also able to execute with the same privileges as the infected process. The first viruses were explicitly created to infect other files as rapidly as possible. Modern viruses are more likely to use covert methods to take control of the host. Boot sector viruses —These infect the boot sector code or partition table on a disk drive. When the disk is attached to a computer, the virus attempts to hijack the bootloader process to load itself into memory. -Trojans —This is malware concealed within an installer package for software that appears to be legitimate. The malware will be installed alongside the program and execute with the same privileges. It might be able to add itself to startup locations so that it always runs when the computer starts or the user signs in. This is referred to as persistence. -Worms —These replicate between processes in system memory rather than infecting an executable file stored on disk. Worms can also exploit vulnerable client/server software to spread between hosts in a network. -Fileless malware —This refers to malicious code that uses the host's scripting environment, such as Windows PowerShell or PDF JavaScript, to create new malicious processes in memory. As it may be disguised as script instructions or a document file rather than an executable image file, this type of malware can be harder to detect.
Backdoors:
Modern malware is usually designed to implement some type of backdoor, also referred to as a remote access Trojan (RAT). Once the malware is installed, it allows the threat actor to access the PC, upload/exfiltrate data files, and install additional malware tools. This could allow the attacker to use the computer to widen access to the rest of the network or to add it to a botnet and launch distributed denial of service (DDoS) attacks or mass-mail spam. Whether a backdoor is used as a standalone intrusion mechanism or to manage bots, the threat actor must establish a connection from the compromised host to a command and control (C2 or C&C) host or network. There are many means of implementing a covert C&C channel to evade detection and filtering. Historically, the Internet relay chat (IRC) protocol was popular. Modern methods are more likely to use command sequences embedded in HTTPS or DNS traffic.
Malware Infection Prevention:
Once a system has been cleaned, you need to take the appropriate steps to prevent reinfection.
Application Crashes and Service Problems:
One of the key indicators of malware infection is that security-related applications, such as antivirus, firewall, and Windows Update, stop working. You might notice that OS updates and virus definition updates fail. You might also notice that applications or Windows tools (Task Manager, for instance) stop working or crash frequently. Software other than Windows is often equally attractive for malware writers as not all companies are diligent in terms of secure coding. Software that uses browser plug-ins is often targeted; examples include Adobe's Reader software for PDFs and Flash Player. If software from a reputable vendor starts crashing (faulting) repeatedly, suspect malware infection and apply quarantining/monitoring procedures.
Ransomware:
Ransomware is a type of malware that tries to extort money from the victim. One class of ransomware will display threatening messages, such as requiring Windows to be reactivated or suggesting that the computer has been locked by the police because it was used to view child pornography or for terrorism. This may apparently block access to the file system by installing a different shell program, but this sort of attack is usually relatively simple to fix.
Crypto-ransomware attempts to encrypt files on any fixed, removable, and network drives. If the attack is successful, the user will be unable to access the files without obtaining the private encryption key, which is held by the attacker. If successful, this sort of attack is extremely difficult to mitigate unless the user has up-to-date backups. One example of crypto-ransomware is Cryptolocker, a Trojan that searches for files to encrypt and then prompts the victim to pay a sum of money before a certain countdown time, after which the malware destroys the key that allows the decryption.
Ransomware uses payment methods such as wire transfer, cryptocurrency, or premium-rate phone lines to allow the attacker to extort money without revealing his or her identity or being traced by local law enforcement.
Redirection:
Redirection is where the user tries to open one page but gets sent to another. Often this may imitate the target page. In adware, this is just a blunt means of driving traffic through a site, but spyware may exploit it to capture authentication details. Redirection may occur when entering URL web addresses manually or when performing searches. If a user experiences redirection, check the HOSTS file for malicious entries. HOSTS is a legacy means of mapping domain names to IP addresses and is a popular target for malware. Also verify which DNS servers the client is configured to use. Compare the search results returned by a suspect machine with those from a known-good workstation.
Spyware and Keyloggers:
Spyware is malware that can perform browser reconfigurations, such as allowing tracking cookies, changing default search providers, opening arbitrary pages at startup, adding bookmarks, and so on. Spyware might also be able to monitor local application activity, take screenshots, and activate recording devices, such as a microphone or webcam. Another spyware technique is to perform DNS redirection to spoofed sites. A keylogger is spyware that actively attempts to steal confidential information by recording keystrokes. The attacker will usually hope to discover passwords or credit card data. Keyloggers are not only implemented as software. A malicious script can transmit key presses to a third-party website. There are also hardware devices to capture key presses to a modified USB adapter inserted between the keyboard and the port.
Malware Removal Tools and Methods:
The main tool to use to try to remediate an infected system will be antivirus software, though if the software has not detected the virus in the first place, you are likely to have to use a different suite. Make sure the antivirus software is fully updated before proceeding. This may be difficult if the system is infected, however. It may be necessary to remove the disk and scan it from a different system. While there were differences in the past, the terms antivirus and anti-malware are synonymous. Almost every antivirus product protects against a broad range of virus, worm, fileless malware, Trojan, rootkit, ransomware, spyware, and cryptominer threats. If a file is infected with a virus, you can (hopefully) use antivirus software to try to remove the infection (cleaning), quarantine the file (the antivirus software blocks any attempt to open it), or erase the file. You might also choose to ignore a reported threat if it is a false positive, for instance. You can configure the default action that software should attempt when it discovers malware as part of a scan.
Certificate Warnings:
When you browse a site using a certificate, the browser displays the information about the certificate in the address bar. If the certificate is untrusted or otherwise invalid, the padlock icon is replaced by an alert icon, the URL is displayed with strikethrough formatting, and the site content is likely to be blocked by a warning message. There are many causes of certificate warnings. Some of the most common are: -The certificate is self-signed or issued by a CA that is not trusted. -The FQDN requested by the browser is different from the subject name listed in the certificate. -The certificate has expired or is listed as revoked. Each of these warnings could either indicate that the site is misconfigured or that some malware on the computer is attempting to redirect the browser to a spoofed page. Analyze the certificate information and the URL to determine the likely cause. Improper use of certificates is also an indicator for a type of on-path attack by a malicious proxy: 1. A user requests a connection to a secure site and expects the site's certificate. 2.Malware on the host or some type of evil-twin access point intercepts this request and presents its own spoofed certificate to the user/browser. Depending on the sophistication of the attack, this spoof certificate may or may not produce a browser warning. If the malware is able to compromise the trusted root certificate store, there will be no warning. 3.If the browser accepts this certificate or the user overrides a warning, the malware implements a proxy and forwards the request to the site, establishing a session. 4.The user may think he or she has a secure connection to the site, but in fact the malware is in the middle of the session and is able to intercept and modify all the traffic that would normally be encrypted.
Desktop Alerts and Notifications:
While there are some critical exploits that allow malicious code to execute without authorization, to infect a fully patched host malware usually requires the user to explicitly install the product and confirm the UAC consent prompt. However, the malware may be able to generate something that looks like a Windows notification without being fully installed. One technique is to misuse the push notification system that allows a website to send messages to a device or app. The notification will be designed to trick or frighten the user into installing the malware by displaying a fake virus alert, for example. A notification may also link to a site that has a high chance of performing a drive-by download on an unpatched host. Rogue antivirus is a particularly popular way to disguise a Trojan. In the early versions of this attack, a website would display a pop-up disguised as a normal Windows dialog box with a fake security alert, warning the user that viruses have been detected. As browsers and security software have moved to block this vector, cold-calling vulnerable users, then claiming to represent Microsoft support or the user's ISP and asking them to enable a remote desktop tool has become a popular attack.