Osint Me Tricky Thursday #5 – Malware

  • by

The infrequent, irregular Tricky Thursday is back, this time to focus on digital security.

What are the signs of malware infection on your computer?

Let’s take a look at some indicators.

1. The computer is running slow and with overall decreased performance.

Malicious software can affect everything, from browsing the Internet to using local applications on an endpoint.

If it’s a Windows machine, the Windows Manager might display unknown or unfamiliar tasks running in the background.

HDD available space can be running low, as well as it might become fragmented.

2. Suspicious registry changes are noticeable or other changes to the system file.

Malware typically makes changes to the registry, especially if it installs:

  • packet sniffing software
  • a keylogger
  • a credential harvester

 

POWELIKS: Malware Hides In Windows Registry - TrendLabs Security ...

3. Pop up ads appear unexpectedly while browsing.

This points towards possible adware or spyware infections.

Especially Java-based pop ups can be disguised to imitate legitimate programs that the user is expected to have on their machine.

 

4. Increased and unusual Internet traffic.

Malware often creates unusual outbound network traffic from the infected endpoint, for example due to connecting to the C2 servers.

This results in DNS anomalies, typically spikes in DNS requests to external resources outside the company network.

Example of a malicious pop up window

5. Disabled security updates or unexpected patches.

Attackers often switch off security updates on the target machine as the installation of these updates could disrupt their connection to the malware and their ability to operate it.

Likewise, the presence of unexpected updates or patches can be alarming and might suggest that the attackers are manipulating the target system to adjust their vector of attack.

 

6. Any non-user made changes to the system.

This may include cosmetic visual changes, but also things like:

  • extra toolbars in the browser,
  • new shortcuts on the desktop
  • new programs listed,
  • device profile or user changes,
  • lost access to a HDD partition or the whole drive,
  • unexpected running / shutdown of various programs, including the cmd prompt or Powershell,
  • unexpected messages suggesting the antivirus or firewall has been disabled.
.

7. Other users/contacts complaining of spam sent to them via social media or email.

This might indicate a spyware infection and the fact that login credentials for a particular online resource have been compromised and a third party has access to them.

 

8. Signs of Distributed Denial of Service (DDoS) attack.

This applies not so much to individual endpoints, but to the networked system overall.

Typical signs of a DDoS include throttled network performance, inability to log into online resources, websites and servers being down.

Although a DDoS does not automatically mean a malware infection, it can be indicative of a sustained directed attack on a system in which malware can be another vector of attack.

DDoS attack (source: F5.com)

9. Hardware problems.

Typically encountered in file-less malware attacks; one example being hijacking hardware resources of a machine to mine cryptocurrency.

File-less malware is designed to evade file and signature-based security controls, like the traditional antivirus programs.

Its presence can be encountered easier on the endpoint and it manifests itself by CPU and GPU suddenly working with a significantly higher intensity, to the point of overheating or indeed getting damaged by overuse.

10. Strange user login patterns.

Once again, this is encountered in corporate environments with a larger number of users.

Sudden changes to established login patterns, like for instance users accessing company resources outside normal working hours or from IP addresses geographically not matching the company’s area of operations.

A very blatant sign of this is an instance of account login within a short period of time from various IP addresses around the world.

It suggests the account credentials have been compromised.

Leave a Reply

Your email address will not be published.