{"id":698,"date":"2020-04-16T20:07:12","date_gmt":"2020-04-16T20:07:12","guid":{"rendered":"https:\/\/osintme.com\/?p=698"},"modified":"2020-04-16T21:18:35","modified_gmt":"2020-04-16T21:18:35","slug":"osint-me-tricky-thursday-5","status":"publish","type":"post","link":"https:\/\/osintme.com\/index.php\/2020\/04\/16\/osint-me-tricky-thursday-5\/","title":{"rendered":"Osint Me Tricky Thursday #5 – Malware"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

The infrequent, irregular Tricky Thursday is back, this time to focus on digital security.<\/p>

What are the signs of malware infection on your computer?<\/p>

Let’s take a look at some indicators.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

1. The computer is running slow and with overall decreased performance. <\/span><\/strong><\/p>

Malicious software can affect everything, from browsing the Internet to using local applications on an endpoint. <\/span><\/p>

If it\u2019s a Windows machine, the Windows Manager might display unknown or unfamiliar tasks running in the background. <\/span><\/p>

HDD available space can be running low, as well as it might become fragmented.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

2. Suspicious registry changes are noticeable or other changes to the system file. <\/span><\/strong><\/p>

Malware typically makes changes to the registry, especially if it installs: <\/span><\/p>

  • packet sniffing software<\/span><\/li>
  • a keylogger<\/span><\/li>
  • a credential harvester<\/span><\/li><\/ul>

    \u00a0<\/p>

    \"POWELIKS:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    3. Pop up ads appear unexpectedly while browsing. <\/span><\/strong><\/p>

    This points towards possible adware or spyware infections. <\/span><\/p>

    Especially Java-based pop ups can be disguised to imitate legitimate programs that the user is expected to have on their machine.<\/span><\/p>

    \u00a0<\/p>

    4. Increased and unusual Internet traffic. <\/span><\/strong><\/p>

    Malware often creates unusual outbound network traffic from the infected endpoint, for example due to connecting to the C2 servers. <\/span><\/p>

    This results in DNS anomalies, typically spikes in DNS requests to external resources outside the company network.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t
    Example of a malicious pop up window<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t\t
    \n\t\t\t
    \n\t\t\t\t\t\t
    \n\t\t\t\t
    \n\t\t\t\t\t\t\t\t\t

    5. Disabled security updates or unexpected patches. <\/span><\/strong><\/p>

    Attackers often switch off security updates on the target machine as the installation of these updates could disrupt their connection to the malware and their ability to operate it. <\/span><\/p>

    Likewise, the presence of unexpected updates or patches can be alarming and might suggest that the attackers are manipulating the target system to adjust their vector of attack.<\/span><\/p>

    \u00a0<\/p>

    6. Any non-user made changes to the system. <\/span><\/strong><\/p>

    This may include cosmetic visual changes, but also things like: <\/span><\/p>

    • extra toolbars in the browser, <\/span><\/li>
    • new shortcuts on the desktop<\/span><\/li>
    • new programs listed, <\/span><\/li>
    • device profile or user changes, <\/span><\/li>
    • lost access to a HDD partition or the whole drive, <\/span><\/li>
    • unexpected running \/ shutdown of various programs, including the cmd prompt or Powershell, <\/span><\/li>
    • unexpected messages suggesting the antivirus or firewall has been disabled.<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t
      .<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t

      7. Other users\/contacts complaining of spam sent to them via social media or email. <\/span><\/strong><\/p>

      This might indicate a spyware infection and the fact that login credentials for a particular online resource have been compromised and a third party has access to them.<\/span><\/p>

      \u00a0<\/p>

      8. Signs of Distributed Denial of Service (DDoS) attack. <\/span><\/strong><\/p>

      This applies not so much to individual endpoints, but to the networked system overall. <\/span><\/p>

      Typical signs of a DDoS include throttled network performance, inability to log into online resources, websites and servers being down. <\/span><\/p>

      Although a DDoS does not automatically mean a malware infection, it can be indicative of a sustained directed attack on a system in which malware can be another vector of attack.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

      \n\t\t\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t
      DDoS attack (source: F5.com)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t\t
      \n\t\t\t
      \n\t\t\t\t\t\t
      \n\t\t\t\t
      \n\t\t\t\t\t\t\t\t\t

      9. Hardware problems. <\/span><\/strong><\/p>

      Typically encountered in file-less malware attacks; one example being hijacking hardware resources of a machine to mine cryptocurrency. <\/span><\/p>

      File-less malware is designed to evade file and signature-based security controls, like the traditional antivirus programs. <\/span><\/p>

      Its presence can be encountered easier on the endpoint and it manifests itself by CPU and GPU suddenly working with a significantly higher intensity, to the point of overheating or indeed getting damaged by overuse.<\/span><\/p>

      10. Strange user login patterns.<\/span><\/strong><\/p>

      Once again, this is encountered in corporate environments with a larger number of users. <\/span><\/p>

      Sudden changes to established login patterns, like for instance users accessing company resources outside normal working hours or from IP addresses geographically not matching the company\u2019s area of operations. <\/span><\/p>

      A very blatant sign of this is an instance of account login within a short period of time from various IP addresses around the world. <\/span><\/p>

      It suggests the account credentials have been compromised.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

      What are the signs of malware infection on your computer? Some indicators to consider explained here.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"off","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[18],"tags":[60,61,15,26],"class_list":["post-698","post","type-post","status-publish","format-standard","hentry","category-digital-privacy-security","tag-hacking","tag-malware","tag-security","tag-tricky-thursday"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/comments?post=698"}],"version-history":[{"count":6,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/698\/revisions"}],"predecessor-version":[{"id":711,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/posts\/698\/revisions\/711"}],"wp:attachment":[{"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/media?parent=698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/categories?post=698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/osintme.com\/index.php\/wp-json\/wp\/v2\/tags?post=698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}