December 13, 2016
So You Have a Virus …. Now What? - An End User's Guide
December 13, 2016
The intention of this document is to help the end user (normal non IT professionals) with how to deal with a computer virus. While this is intended for the end user. IT professionals may find it useful for some tips or help with dealing with the everyday user that finds themselves in a bad situation.
So you have a virus, now it may have come from going to a site that you shouldn't have been at, or opening an email link, maybe you downloaded some software that you shouldn't have, it really doesn't matter at this point other than 1) Avoid doing that in the future and 2) You have a virus and need to deal with it now. The worst thing you can do about it is not deal with it or tell someone so they can help you with it. Doing nothing puts not only yourself, but others at risk. As with a human virus a computer one will attempt to spread through the host and to others that I can come into contact with. If you are embarrassed, don't be, people from all different industries and skill levels run into this at one point or another. The important thing is we deal with it now.
What kinds of viruses are out there? Common ones:
Malware: This is the type of nasty virus' that typically affect user's. Malware can do any number of things to your computer such as steal your passwords, change your browser home page, cause your computer to have advertisement popups, grant remote access to your computer, or any other number of terrible things. Questionable websites, illegal downloads, and emails with attachments (from people that you don't know) tend to carry these types of files.
Ransomware: This is quickly gaining popularity. Ransomware will hold your computer and sometimes network ransom by encrypting your data making it unreadable until you pay up. Some particularly nasty variants will even have a countdown timer, deleting data until the ransom is payed off. The worst part of this is, that even if you pay the ransom, there is still no guarantee that your data will be unlocked and usable. The most common delivery method of ransomware is by attachments in emails. These emails tend to entice users to open the attachments, such as your credit card company supposedly sending you a bill.
Spam (phishing): (Pronounced fishing) is when the bad guys send out emails to various targets. These targets are not directly targeted. An example would be if a spammer harvested all of the emails from a forum or a Facebook group then decided to send an advertisement or an email that contains a virus. They may or may not be disguised as ecards, bank statements, a friend or co-worker, etc. Once phished however, you may have opened yourself to more spam, identity theft, computer hijacking, ransomware, etc. More information can be found here: https://www.cybrary.it/0p3n/anatomy-of-the-hack/
Spear Phishing: This technique is similar to the above, however the targets are picked out specifically. An example would be an attacker is trying to gain access to company "X''s payroll database so they research who the payroll staff are, what bank that the company uses, etc. They then spoof an email from that particular bank asking a member of the payroll staff by name to look over the new terms of service that has to be read and accepted before the next payroll date adding in a pdf file that contains a malicious file or even doing something as simple as to ask the person to verify their login and password for the bank, because they have recently updated their servers.
Scareware: Scareware is one of the nastier types of things to get if you are somewhat non technical since it's designed to prey on people's fears. The easiest example to give of this type of virus would be the image below:
Here you were surfing the web, then all of a sudden you see this message! You aren't able to close it, it has the FBI's seal on the page and it states that you have violated federal laws, going so far as to cite exactly which one you violated. In fact they even logged your IP address and cited that you were viewing child pornography! Of course you are innocent, but this notice says that they have the evidence against you and you can face 4 to 12 years in prison! Worse yet, you only have 72 to pay the $200 fine. Pay $200 or face 4 to 12 years in a federal prison with child pornography charges? Where do I send the check to? As you can see below on the image they conveniently outline several places that you can get a MoneyPak to conveniently pay your fine quickly and easily.
While the above may seem sort of funny, this was a very big scam that hit a couple years ago big, and still makes the rounds. People were getting legitimately worried seeing this. Also keep in mind, if you broke the law the FBI or the police are not going to send you a notification on your computer asking for a MoneyPak, Western Union or other similar methods of payment. They simply will showup at your doorstep, send a fine though mail, or send a subpoena for you to show up in court.
The other scareware that is common is anti-virus scams/scares telling users that they are infected.
But why do people make viruses?
Viruses are created for a variety of reasons, mainly dealing with personal gain. A person can potentially steal your bank account information, identity, files, sometimes they are just looking to be malicious.
Typical methods of infection:
Email: A popular method of infection is right through your email. Spam, phishing, "Happy birthday" emails, emails with attachments and links can contain malicious code.
Downloading illegal software/movies: Often times downloading illegal software or movies people will package a virus in the file(s).
Questionable sites: Adult sites, hacking sites, and other questionable sites with popups can contain malicious code. Sometimes simply trying to close those aggressive popups or even clicking an image on the site can deliver a virus to your computer.
Add-on software: Add-on software are programs that attach themselves to a program that you are trying to install. The program in itself may be legitimate, however often times, you will see additional programs, toolbars, etc that want to install themselves when you install your main program. Sometimes these programs themselves can contain malicious code or even poor code leading to viruses.
USB: This is one of my preferred methods of infections when I do pentesting. Plugging in a random USB drive that you find laying around can easily contain a virus. Even though computers typically no longer allow autorun, there is a newer threat that will emulate a keyboard (BadUSB and USB Rubber Ducky for example) and execute commands given by the attacker.
Rogue Wi-Fi hotspots: Wireless hotspots are great for saving your data and potentially giving you a faster connection, unless of course you're connecting to a rogue hotspot. Say you are at Starbucks for example and you want to connect to their wireless. You look for the hotspots and see Google Starbucks" and Google Starbucks hotspot", connecting to the wrong one likely means that you are connecting to someone's rogue access point that they created hoping to get bank account information, login information, etc. Be careful when connecting to open hotspots. Only connect to those that you trust, if you are unsure if a access point is correct, then ask an employee. Also using a VPN can help keep yourself and your internet traffic safe and secure.
Great, I have a virus now what?!
Virus at work:
- If you have a virus at work and your work place has outlined a protocol for this type of situation follow that first.
- If no guideline exists, contact your IT department for instructions.
If neither is an option:
- Do not attempt to delete the infected file, wipe out your system, or do a system recovery. Some ransomware you can use the infected file to extract the key. Sign out of any logged in programs or sites, disconnect your computer from the network, and power down. Contact your IT department and alert them to the issue. Also let the know how you think you were infected. Sharing this knowledge may help this virus from spreading and being opened by someone else.
- Your IT department may be able to restore your files and the network files (if they were affected) with a backup if need be.
- If the ransomware was from an email notify your IT department so they may determine next steps
- Log out of any programs and sites
- Disconnect your computer from your network
- If you are able to determine what ransomware you were infected with there may be a unlock tool out there to try. From another computer download the unlock tool and try. http://www.majorgeeks.com/mg/sortdate/ransomware_removal.html
- If you are still unable to remove the virus consider finding a reputable company to remove the virus. If you are able to function without your files do a full restore of your computer.
- If the ransomware was from an email, notify your email provider and move the email to your spam folder.
- If you are at work, contact your IT department for instructions. They may have a particular procedure that they need to have you follow in order to stay within compliance.
- As a home user (If you opened the link and/or file in the email):
- If the email client that you are using supports it, sign out of all devices
- For Gmail users, run though the security check (available by clicking your profile and viewing your account). Verify the machines that were used to sign in are yours and verify the plugins that are associated with your account.
- Clear your browser cache
- Change your password ( tips: https://www.cybrary.it/0p3n/passwords-things-users-tape-monitors/ )
- Update your anti-virus and perform a full virus scan
- Contact people on your contact list to be sure to be on the lookout for any odd emails from you and do not open them
- If the email is posing as a business (like your bank) inform them, along with the email address so they can follow up
- Move the email to your spam folder
- If the method of infection is by email follow the above steps outlined in the "Phishing/Spear phishing/Spam" section.
- If the method of attack came from a website (most common scenario) try to close all browser screens (You may need to click Ctrl + Alt + Del to close out the browser).
- Update your anti-virus and run a full scan
- Download and run malware bytes : https://www.malwarebytes.com/ (free version)
- Clear out your browser cache:
- Check your browser plugins and remove any that you do not recognize
- Check your browser's homepage and make sure it's properly set
- Check your add/remove program list and verify that there are no additional programs that were added
- Periodically check https://haveibeenpwned.com/ to make sure your account(s) have not been compromised
- If you have a URL that you are unsure if it's safe or not test it at: https://virustotal.com/ (URL tab) the link will be checked against 68 different security sites
- If you do not currently have an anti-virus solution, there are several free ones out there: AVG, Sophos Home, Avast
- When browsing the internet always try using a secure connection by replacing http with https. Most browser's app stores will have free programs that will, by default add this in for you.
- Be sure to clean out cookies, and browser cache files or brows in private mode
- Always sign out of browser pages (email, banking, social media, etc). Do not just click the browser closed. Failure to do this can lead to your accounts being hijacked.
- Be sure to update your browser, plugins (like java), and your operating system (Windows, Apple, Linux)
- For Google try running the security check
- Consider enabling 2 factor authentication for your email. 2 factor adds an additional layer of security to your account.
- Always choose a hard to guess password, try to keep different passwords for different sites. For more tips:
- Don't just protect your computer, smartphones and tablets are just as vulnerable and a highly desired target also. For more tips: https://www.cybrary.it/0p3n/smartphone-apps-what-am-i-downloading-anyways/
- Don't open emails from people that you don't know
- Don't open attachments from people if you are not expecting one (verify with them before opening)
- If you find a spam email, move it to the spam folder
- Consider using a keyword with friends and co-workers. Telling someone to add in a keyword into the subject line such as "bacon" to signify that there is an attachment can help ease your mind and increase your email safety. Chances are, a typical or automated spammer wouldn’t know to add a keyword to their spam attempt
- Do not plug in unknown USB devices into your computer
- On emails be sure to verify the sender's identity beyond just the name:
- Need to cleanup your online presence? Try: https://www.deseat.me/
- Above all, be vigilant. You don't have to be afraid to be online, just aware.