Hardware, software, wetware, bloatware, crapware… and the newest piece of shiny is on sale now! Far too often users think slow or unreliable performance is just part of the fun of using computers, and when the Internet is slow, it’s because someone in another office is probably watching Netflix.
But whether you are a home user all alone, sharing an Internet connection with friends, family or roommates, or a corporate IT SysAdmin wondering what is going on, you never want to write off slowness as “one of those things”. Chances are, it’s not. It’s a hack.
There are so many successful attacks out in the world right now, and it seems like every week we read about some company or agency that announced a breach. Worse is that reports always say the attackers had been in place for months so many security professionals are moving to a mindset called “assume breach.”
In other words, rather than assuming all is well until they see evidence otherwise, the pros assume that the bad guys are already in, probably have been for some time, and they seek to eradicate them. If, after careful and exhaustive work, they find no evidence that an attacker was in place, they can give themselves a high-five and catch their breath for a moment, but the next day they are back at the same “assume breach” posture because it is the only way they stay diligent.
What are the signs that you’ve been hacked? Here are some tips on how to go about investigation suspicious activity.
For home user and sysadmin
Out of date?
Is your antivirus software out of date, are you missing critical operating system patches, or are you running older programs prone to security risks like media players and file readers? If so, there’s more of a chance you have malware on your machine. The best protection against malware infecting your machine, whether from downloads or attacks over the network, is to ensure that your machines are up to date.
If you now try to update your machine and encounter failures to apply updates or download the latest antivirus definitions, it could be because some malicious software is preventing you from doing so.
Lots of connections?
Does your PC make lots of outbound connections, or do you see a lot of outbound connections on your corporate network that don’t make sense? If you boot your PC into safe mode, you should not see any outbound connections from it. When users are off the clock, you should see very little HTTP or HTTPS traffic from user workstations beyond simple polling for things like sync clients or browsers open to pages that auto-refresh.
Slow times when nothing else is going on
If your corporate Internet access gets slow at odd times and for no good reason, or if your home network speed seems dramatically slower than what you are paying for, there may be something on the network that shouldn’t be there. Whether it is a hacker downloading all your data, a user running a bittorrent client, or your next door neighbor mooching your Wi-Fi, find what it is and shut it down or shut it off.
At your corporate firewall heading out, you should only see SMTP traffic from your mailservers, DNS traffic from your DNS servers, and mostly just TCP 80 and 443 from your users’ workstations. If you see a workstation making direct SMTP and/or DNS connections to an Internet address, it may well be hacked or running malware that is spewing out spam. If you see a lot of high ports being accessed, or notice sustained connections from workstations, investigate to see whether it is a line of business application or an attempt to exfiltrate all your key data.
Log file entries show successful access at odd times?
On the network you should be reviewing access logs, and looking not only at failures, but also at successes at unusual times. Trust me, if you see an entry in a log file that shows I accessed X at 3:30 in the morning… it wasn’t me!
For home user
Can’t log in?
If you cannot log onto a system and you know you are inputting the right credentials, there’s a good chance it’s because an attacker has compromised your account and changed that password.
Using the same password?
The risk is even greater when you use the same username and password on multiple systems. Do you use your personal email address and the same password at your bank, Facebook, Twitter, iDrive, your healthcare portal, Amazon, your Outlook.com email, your YouTube account, your Gmail, your Dropbox, and so on? What do you think happens if an attacker gets a list of email addresses and passwords from one system? He or she immediately starts to see whether those same creds will get them in somewhere else!
Lots of disk activity?
If you are sitting there doing nothing, and you notice your disk activity light going crazy, you want to see what it is that is going through all the disk I/O. It could be your antivirus software running a scan, or your Dropbox client syncing files, but it could also be malware parsing your disk looking for data. Figure out which.
Notice that antivirus appears to be disabled?
One of the sure signs that you have a malware infection is when your antivirus software has been disabled, especially if you didn’t do it, and now you cannot re-enable it. Many different types of malware will disable antivirus software so they can maintain their foothold on your system. Use an online scanner like the ones Trend Micro or Microsoft make available to scan your system.
Toolbars, pop-ups, and other software just appears
If half your browser window is taken up by toolbars, if you get odd pop-ups, especially when you are not actively using a web browser, and if you go into Add/Remove programs and see a bunch of stuff you didn’t install, you either have a teenager using your PC or you’ve been hacked.
Task Manager and Perfmon don’t launch
If either of those standard Windows tools used by admins to find out what is going on with a system don’t launch, odds are good a hacker or piece of malware has disabled them to ensure you cannot use them to find out they are there. If you can launch them, and you see applications running that you didn’t launch, you need to investigate those as well.
Anything running from Temporary Internet Files
If you can launch Task Manager, and while investigating what is running on your machine you see something running with a file stored in TEMP or Temporary Internet Files, that’s a sign something bad is happening, unless you happened to at that moment, be downloading and installing something.
Anything running from System32 that doesn’t have a Microsoft signature
Microsoft signs all the files in the operating system, and you can see that in the properties of the file and/or service. If something is running, it’s stored in the \System32 directory, and it’s not a file digitally signed by Microsoft, it’s almost certainly malware.
Odd programs in Startup
If you cannot explain why a program is set to run every time Windows starts or a user logs on, you need to investigate that program to see what it is. Many programs will insert themselves into the Windows startup, and will have unusual names, so don’t immediately assume something is bad… just don’t automatically assume something is good.
Can’t shut down
The last sign that may indicate a system is pwned is when you cannot gracefully shut it down. If an attacker has remote access to a system, they will want to do everything they can to keep that remote access, including preventing you from trying a simple reboot to see if that “clears things up.”
Computers and the networks they run on are not really living, breathing beings, but they can feel that way to the people who are responsible for them. Get to know your computer and get a feel for your network, and if something doesn’t feel right… investigate.
SysAdmins have very good intuition for things, but far too often don’t trust themselves or just brush off feelings as “just being paranoid.” Be paranoid if that is what it takes to make sure you aren’t being pwned, and make sure you run antivirus on every system, you keep it current, and you patch regularly.
Use unique account credentials for every service you use online, and take advantage of two-factor authentication everywhere you can! Don’t become a victim.