You probably don’t think been hacked, but Jane Hoskyn begs to uprobably don tthink your PC has be differ. Here she reveals how to discover hidden malware and remove it for ever
Malware and human disease thrive on silence and invisibility. If the tiniest cancer cell gave you a polka-dot face, you’d seek treatment immediately, and you’d probably be OK, because the evil invader would never have a chance to spread.
Similarly, malware infections are best caught early, before they can spread and do terrible damage. If malware signposted its arrival by slapping “You’ve been malwared!” across your monitor, you’d download a tool to blitz it, and then get on with your life. But hackers don’t want you to know you’ve been hacked.
They create silent imposters that can lurk in your system for years, stealing your bank details, passwords and other sensitive data while you’re blissfully unaware. Even ransomware can fester silently in your PC before it splashes a ransom demand on your screen.
We’ll start this feature by revealing the latest silent killers that may be hiding in your PC - or your phone, tablet and router. Then we’ll show you how to find these and other hidden nasties. Be prepared - there may be more than you’d expected. The good news is we’ll then offer ways to kick out and keep out the silent killers.
HACKERS’ LATEST MALWARE TACTICS
The worst malware is now even worse
In our article (The Worst Malware Ever), we warned that malware was more dangerous than ever - and that it would get more and more dangerous as the months go by.
Security and software firms, including Microsoft, are trapped in a constant game of ‘anything you can do, I can do better’ with hackers. If Microsoft fixes a security hole, hackers soon find a new vulnerability to exploit. When your antivirus (AV) identifies a new threat and updates its definitions to blacklist the offender, the offender looks for (or forces) a new way in.
Malware never surrenders. It returns to the drawing board and bounces back stronger, harder to remove and - the best survival strategy of all - harder to detect.
Before we show how to find and kill the malware that’s hiding in your PC, we’ll offer some examples to put the dangers in context. Here are seven deadly threats that may be wreaking havoc inside your computer right now, hidden not just from you but also from your operating system (OS), browser and even your AV.
AV-hijacking Trojans
Trojans are malicious files masquerading as legitimate files, programs or updates. The term, as you’d guess, comes from the ancient story of the Greeks who hid inside a wooden horse to sneak into the city of Troy. Three thousand years later, ‘Trojan’ means much the same thing, but without the carpentry. It now describes any strategy for invading a protected place - such as your PC’s operating system (OS) - by pretending to be something it’s not.
The best-known Trojan in recent years is Zeus (also called Zbot), which went undetected in many PCs and plundered victims’ banking details. It has terrifying new competition in the form of Carberp, whose name might make a child giggle but whose code could destroy all your PC’s defences.
As we reported, Carberp’s source code has been released for free online - a terrifying prospect for computer security. It allows hackers all over the word to create new versions of this monster. They all share the key aim of remaining undetected in your PC, according to Kaspersky. Once there, it silently steals your personal data including passwords and bank details. The most frightening incarnation of Carberp (so far, at least) can disable and even remove your installed AV. This makes it harder to detect and remove than even the latest ransomware.
PC-wiping rootkits
If Trojans are malware in disguise, rootkits are smugglers embedded with malware. Once a rootkit has broken into your PC, perhaps by fooling you into clicking a phishing link, it hacks your OS to ensure its malicious cargo remains hidden.
Currently the most frightening example is Popureb, “a small rootkit with a big reputation” according to security firm Sophos (www.snipca.com/19798). Not only does it wrap an invisibility cloak around its dangerous contents, but it embeds itself so deeply into victims’ OS that they’ve been forced to wipe their systems to remove it. Microsoft’s advice is that all rootkit infections should be dealt with by doing a clean install of Windows.
Backdoor intruders
A backdoor isn’t a type of malware, but a deliberately installed flaw in your OS that lets hackers into your PC completely undetected. Backdoors can be installed by Trojans, worms and other malware. Once the flaw is created, hackers can use it to control your PC remotely. It remains hidden, allowing it to create even more backdoors for future use.
Evasion malware
Hackers are now designing malware whose main purpose is to evade detection. Various techniques are used. Some malware, for example, hoodwinks AV programs by changing its server so it no longer matches the AV’s blacklist. Another evasion technique involves setting the malware to run at certain times or following certain actions taken by the user. For example a hacker can set malware to run during vulnerable periods like booting up, then to remain dormant for the rest of the time.
Word-hijacking ransomware
As if it’s not bad enough to find that an apparently safe file is actually a Trojan, security experts have now found ransomware hidden in Word files (www.snipca.com/19856). Office macros - small, configurable files that trigger an automatic series of actions - seem even more susceptible to ransomware infection, probably because users are prompted to download them. In February, researchers identified ‘Locky’, ransomware that arrives courtesy of a malicious macro in a Word document (www.snipca.com/19857).
Router botnets
A botnet is a series of internet-connected computers or other devices that hackers use to spread spam or malware to other PCs.
If your router, laptop or even your ‘smart’ thermostat is part of a botnet, you’ll almost certainly have no idea about it. And if you don’t know about it, how can you fix it?
Onion ransomware
Tor (aka The Onion Router, www.torproject.org) is free software that lets you browse and communicate anonymously. You can’t be tracked by your ISP, Microsoft or anyone else. It’s used by journalists to protect their sources, and by whistleblowers reporting war atrocities.
Sadly, it’s also very popular with hackers, who use Tor to discuss and distribute malware without being tracked. Poor old Tor has even had its nickname defiled by criminals who’ve created encryption ransomware called ‘Onion’ (www.snipca.com/19832).
Another secretive ransomware variant is CryptoWall 4.0, a new version of the notorious ransomware that’s been updated to evade detection on victims’ PCs.
HIDDEN SIGNS THAT YOU’VE BEEN HACKED
Expect the worst
There’s a pretty good chance there’s malware in your PC. The latest annual Kaspersky Security Bulletin (www.snipca.com/19833) says 34.2 per cent of computers were hit by “at least one” malware attack last year - but we suspect that the real figure is somewhat higher.
The survey only covered users running Kaspersky AV. Along with Norton Security, Kaspersky repeatedly tops the AV tests run by our security team at Dennis Technology Labs (DTL, www.dennistechnologylabs.com). So the incidence of malware on those users’ computers is likely to be lower than on computers running less powerful software or no AV at all.
More to the point, the report only includes malware that was spotted. Undetected malware couldn’t, by definition, be included. To make sure we weren’t being paranoid, we asked DTL if they thought there was malware in our PCs. We expected a complicated reply that meant “maybe”, but the answer was an unequivocal “definitely”.
Watch for early signs
If you’ll forgive us, we’ll use the disease analogy again. By the time you’re too ill to get out of bed, something may be very wrong, and hard to treat. Earlier signs of infection are much more subtle. They may not be hard to see, but they are hard to recognise for what they really are.
Similarly, by the time a ransomware demand is plastered across your screen or your software refuses to run, malware has taken obvious hold of your system and will be hard to root out. It may be even impossible, unless you do the dreaded clean install. So it pays to learn the less obvious signs.
Don’t blame your slow browser on the internet
If your browser has suddenly become achingly slow and crash-prone, your first instinct may be to pick up the phone to your ISP and give them a piece of your mind. Spare them your fury, at least until you’ve checked that the go-slow isn’t caused by something more sinister.
The most likely culprits are third-party toolbars and other PUPs (‘potentially unwanted programs’ - far too polite a phrase) that hitched a lift on to your PC when you installed free software. They pretend to be something they’re not (such as a useful search engine) or don’t fully disclose some of the things they’re going to do (such as track your browsing activity). They also leech processor power, prevent other programs working properly and can be extremely intimidating.
Kaspersky and some other AV companies don’t classify PUPs as malware, but that’s starting to change - quite rightly. AVG, for example, enables PUP and spyware defence by default. We hope to see similar policies taken up by all AV companies.
One significant problem with these hidden browser-hogs is that if you remove them they often regenerate. This is because many of us use syncing tools to keep the same bookmarks and extensions on our computers, laptops and other devices. Once a PUP file hides in Chrome Sync, for example, it can be impossible to remove unless you stop using Chrome Sync. Believe us, we’ve tried everything else.
To weed out troublesome browser extensions, run the free tool Auslogics Browser Care (www.snipca.com/19847). It identifies and removes dodgy extensions automatically. During setup, untick ‘Launch program at Windows startup’. This program does not need to run constantly in the background, and if it runs at startup Windows will take longer to launch.
Rule out other causes of crashes
Regular, unexplained crashes are among the obvious signs of malware infection, but they could also be caused by faulty drivers and other hardware failures.
To rule out hardware culprits, start with the free tool WhoCrashed (www.snipca.com/19849), which has just been updated to support Windows 10.
Click Download at the top of the page, scroll down to ‘WhoCrashed 5.51’ under Crash Analysis Tools, and then click ‘Download free home edition’. Save and run the installer; there’s no rubbish to opt out of. Click Analyze to diagnose crashes. As well as generating a list of suspects, the program also gives you a plain-English report that is much more informative than Windows’ own complicated crash logs.
If you’d rather not install software, use the portable version of NirSoft’s free tool BlueScreenView (www.snipca.com/13102). It gives you a whole load of information about what happened during crashes and lets you run an instant Google search for bugs associated with them. If drivers and other hardware faults don’t seem to be causing your crashes, malware is a likely culprit. In the next section, we’ll explain how to find out.
ROOT OUT HIDDEN MALWARE
Scan your PC for dodgy processes
The new generation of stealth malware doesn’t tend to have obvious giveaway signs, such as weird pop-ups.
The Carberp Trojan is a great (well, notable) example of malware that’s being rebuilt over and over to make it much harder to detect. It’s unlikely to show up in manual malware scanners or even in a full AV scan.
One option is to use tools like the free startup manager Autoruns (www.snipca.com/19839), which lists every single process, service and task that’s active or been active on your PC - including the malicious ones. It’s chiefly used to stop unwanted processes running at startup, but it’s also a brilliant tool for tracking down mysterious items that you didn’t install and whose role you don’t understand. Most of these processes (especially the hidden malware) won’t show up in Task Manager, so don’t even bother using that.
The main downside to Autoruns is that its lists are intimidatingly long. Use the Options menu to narrow it down bit by bit. Tick Hide Empty Locations, then Hide Microsoft Entries, and wait for the list to refresh so it only contains active third-party items. Now read down it and, if you see something you don’t recognise, right-click it and click Search Online (or press Ctrl+M) to run a Google search in your browser.
Google will look for the full file name associated with the process and offer links to relevant pages on security sites like File.net (www.file.net), which reveals whether certain files are safe; Process Library (www.processlibrary.com), which explains what a process is and why it’s running; and the excellent Should I Block It? (www.shouldiblockit.com).
The latest version of Autoruns (v13.51) incorporates the file-checking database VirusTotal (www.virustotal.com) and adds a Check VirusTotal option to the right-click menu.
Scan specific areas of your PC
The free Online Scanner from AV company ESET (www.snipca.com/19848) is not quite as “online” as it makes out - it’s not actually a browser-based tool. We were initially disappointed by that, because browser-based tools tend to be faster and easier to use than traditional installable software, and of course don’t involve having to slog through an installation process.
But ESET Online Scanner is well worth a look, because it lets you scan for hidden malware and dodgy files in certain folders and areas of your PC - and that’s much quicker than doing a full scan.
When you click ‘Run ESET Online Scanner’ a second window opens, inviting you to download ESET Smart Installer. Click the blue ‘esetsmartinstaller_enu.exe’ link, open it and then click Run if prompted by Windows. Tick the ‘Terms of Use’ box and then click Start.
During configuration, click ‘Enable detection of potentially unwanted applications’, then open ‘Advanced settings’ and tick ‘Scan archives’ and ‘Scan for potentially unsafe applications’, and leave the two other boxes ticked. Here’s where you can select certain folders, other destinations and even specific files. The tool has anti-stealth technology built in, which means it can detect and clean hidden files in folders you didn’t even know were there.
Our main beef with ESET is its false-positive habit. It wrongly identified our favourite NirSoft tools as malicious, and they’re certainly not. So before you blitz any file that’s flagged as dodgy, run it through VirusTotal online for a second opinion.
Discover where dodgy files are hiding
Free portable tool Runscanner (www.runscanner.net) scans all your PC’s startup system files, drivers and settings. Malware is fond of installing startup files and leaving them behind, so they run constantly from the moment you boot your PC.
After scanning, the tool reveals which files aren’t behaving as they should, drawing information from its database of over 900,000 system files including EXE, DLL and SYS files - precisely the types of files malware likes to create, infect and/or corrupt, and then leave behind.
To get the program, click Download in the top menu bar, then click Freeware Download and save and run the file. In the small program window, you’re given the choice of using ‘Beginner mode’ or ‘Expert mode’ - the latter lets you make changes to misbehaving Windows files, while Beginner mode does not.
Scan your router for hijackers
You may not consider your router to be part of your computer, but it’s a vital part of your PC setup - and it’s a prime target for botnet attacks. What’s more, you’re unlikely to check your router for bugs or problems unless your internet starts playing up, so it could be part of a malicious botnet for months or years before you have any idea about it.
The good news is that checking your router for botnet activity is very easy, and doesn’t involve downloading or installing any software. Click ‘Start now’ on F-Secure’s free online Router Checker (www.snipca.com/19852) and wait a few seconds while the tool looks for malicious activity such as DNS (domain name server) requests that don’t end up where they’re supposed to go. If it detects any suspicious activity, you’ll be guided through what to do next.
Root out rootkits your AV can’t see
Kaspersky Internet Security 2016 is one of the most powerful and accurate AV products money can buy. But one thing it can’t do is root out rootkits, those invisible smugglers that hack your OS to ensure they remain hidden. So we were pleased and relieved to hear about Kaspersky TDSSKiller, which specifically targets rootkits and won’t conflict with Kaspersky Internet Security or your other choice of installed AV (you should only have one background-running AV installed, or they will effectively cancel each other out).
TDSSKiller is free and open-source, and comes in installable and portable versions. First we tried to download the portable one from this page of the PortableApps.com site: www.snipca.com/19853, but this meant having to install the PortableApps platform first. To avoid this hassle, download the ‘ZIP Version’ from safe download mirror site BleepingComputer (www.snipca.com/19854), which also hosts one of our favourite junk-removing tools, AdwCleaner (www.snipca.com/19855).
BleepingComputer says TDSSKiller only works in Windows 8 and earlier, but it worked fine on our Windows 10 PC. Download and extract the ZIP, then run the program file. It’ll take a few moments to update its virus definitions first. Click ‘Start scan’ to find and remove rootkits and ‘bootkits’ hiding in your PC.
HAVE YOU BEEN HACKED?
SIGNS TO LOOK OUT FOR…
1 You can’t get administrator access on your own PC
2 Your internet searches keep being redirected
3 A file is unexpectedly corrupted or fails to open
4 Your passwords have changed
5 People in your address list get spam emails from you
6 Programs open momentarily and then close, so you can’t use them
7 A file has unexpectedly disappeared
8 You find programs in All Apps (in Windows), or Autoruns that you didn’t install
9 Your PC keeps connecting to the internet - even when you’re not using it
10 Your printer prints pages that you didn’t ask it to
11 Your browser’s homepage changes and extra toolbars appear
12 Your AV and malware-scanners won’t open or run