Found malware, now what do you do?

You’ve found some malware on your computer, so what should you do next? What’s the best approach? Well, this depends on the situation, but we’ll run through a few things that will greatly assist in identifying and isolating the malware, removing it and preventing re-occurrences.

The first thing to do is to acquire a good understanding of how malware has been found.

So how can malware be identified? Well, there are many ways. Firstly, the most effective way to identify, isolate and eradicate it, is to be operating an up to date anti-malware solution on all systems (phones, tablets, laptops, workstations, and servers). The purpose of such software is to do the identifying for you, and once identified to quarantine it, so it can’t do anything else. They then notify the end-user or system administrator and actions can be taken to delete the quarantined item permanently or allow it if this is what you wish for.

Another way that many people identify malware, and this is often the case when no anti-malware solution is installed, is to identify that a computer is operating in an unusual fashion. Lets’ take for example a program that usually takes 5 seconds to load on a PC, and is now taking anything from 30 seconds to 2 minutes. Often identified by users because they get frustrated by this delay and it is persisting after many reboots, whilst connected online and offline. To clarify this is the difference between a couple of days, and not the usage of a program gradually declining over months and years.

When this is happening, the best thing to do is to review the processes in operation. Depending on the operating system it could mean opening Windows Task Manager/Windows Resource Monitor, or opening a terminal and running PS or TOP. When looking through these areas, it’s advised that guidance is acquired in reviewing what is normal and what identifiers can be used to see abnormal behaviour. Some tips for doing this is to close all programs that are running and then look for the following, but keep in mind these could also be legitimate programs operating.

• Consistently high memory usage
• Consistently high CPU usage
• Consistently high network usage
• Suspiciously named processes (e.g. miner, worm, troj)

Note: It’s rare you’ll find anything by the example names for processes, but you never know some script kiddie somewhere may not have thought through what he/she was really doing. We all learn things in different ways.

To resolve these situations, you could either try and locate the processes origins on the computer and stop it, or better advice would be to install an anti-malware solution and see if this can resolve the problem, perhaps try a trial of the product first because it’s free.

The final common identifier is usually when an internet browser is opened and there’s a lot of coloured buttons on the task bar at the top, or popups/popunders occurring. These are usually plugins for internet browsers and can even be there from the moment a computer is first received. Unfortunately they can be a pain, because they destroy people's experience of using a computer and browsing the internet. To resolve these, an adaware removal tool is needed or an anti-malware solution may also help remove them.

There is also one other way to identify that malware has attacked a computer and that unfortunately is the inability to use it anymore. Examples of this are full screen messages such as “you’ve been reported to the police/FBI for criminal activity, pay X amount now” or “your computer is now encrypted and you will lose all data on it unless you pay x amount of bitcoin to the following address within x hours” etc. When this is the scenario, local IT support really is required, because the computer system will most likely need rebuilt from scratch or something similar. It is worth noting that on a rare occasion ransomware can be decrypted if a solution has been found and publicly posted. https://www.nomoreransom.org/en/decryption-tools.html is a good place to go to for guidance on such matters.

The resolution to malware is not always simple either, but the simplest way is to be proactively protecting systems, through the deployment of an anti-malware solution. Assuming malware is where suspicions are pointing the first thing to usually do, is disconnect the device from the network to minimise any spreading. Then running a full scan on a computer is advised, and perform the same full system scan on all systems connected to the same network. If this hasn’t resulted in anything productive, it might be worth trying a second anti-malware solution, again use a trail and if it helps, then consider purchasing the product because it’s clearly making a difference.

Two scenarios occur next, a) the anti-malware solution hasn’t found anything and problems persist which could imply malware, or b) the malware keeps returning. In both cases, if the systems are offline and not connected to anything and the malware is remaining after full system cleans and reboots, then it may be worth zero’ing the hard drive/s and reinstalling the operating system. This will ensure that nothing remains on the system and also provide a fresh start. Please keep in mind if the source of the problem is external to the system, it may return after these actions.

An additional software which may be worth considering for more technical readers, is the deployment of a personal firewall and placing it into a verbose logging mode. This may help identify where problems are through identifying traffic entering and leaving a system. Be warned though this can lead to a lot of information in logs, so it may come across as information overload.

The best solution to the situation of finding malware and establishing what to do next though is through prevention. Stop it from getting on to a system in the first place. This can be done through actively deploying an up to date anti-malware solution and also educating users of systems, because the worlds best anti-malware solution is still not going to prevent an end user from clicking a suspicious link.

In summary, what should be done in four simple steps;

1) Identify the malware

2) Isolate the malware

3) Remove the malware

4) Prevent it from re-occurring.

If you have any questions, feel free to get in touch with The Tech Force, because we’ll be glad to help.