You can tell when you've been hacked if you're
careful enough!
Hackers have stooped to an
all time low (it's actually an all time high for them of course) when it comes
to infecting your systems. Present tools and techniques ensure they are always
a step ahead of security measures trying to defend your systems. It's quite
easy to know and learn when your system has been compromised. All it takes is a
little more attention and observation on your part.
Why Hackers Want the Use of Your Computer ?
A botnet is simply a network of compromised computers controlled by a single command and control center. I estimate that 30 to 50% of all consumer-level computers are part of one botnet or another.
This botnet can be used for many seemingly innocuous activities and many more malicious ones. Botnets can be used to send spam, crack passwords, conduct distributed denial of service (DDoS) attacks, etc. In all cases, they are using system resources that are not available to you. You will likely detect your own system running sluggishly or erratically.
Let's take a look at how we can detect if such a security breach has taken place on YOUR system.
1. Fake antivirus messages
Among the surest signs that your system has been compromised, this ploy makes use of the fact that by the time people see the fake antivirus warning, considerable damage has already been done. A fake scan is in reality a malicious program's trick to lure people into buying their product. You will more often than not be directed to a professional-looking website on clicking a link provided by the scan where you will many a times give out your credit card number and billing information. In this way, the program will gain complete control over your system while also making full use of your personal financial information.
Among the surest signs that your system has been compromised, this ploy makes use of the fact that by the time people see the fake antivirus warning, considerable damage has already been done. A fake scan is in reality a malicious program's trick to lure people into buying their product. You will more often than not be directed to a professional-looking website on clicking a link provided by the scan where you will many a times give out your credit card number and billing information. In this way, the program will gain complete control over your system while also making full use of your personal financial information.
2. Check Task Manager
The first thing to check when
you suspect that you have been hacked is your Windows Task Manager. You
can access it by hitting Ctrl+Alt+Del on your keyboard and selecting
Task Manager at the bottom of the menu that pops up, or just type Task
Manager in the run line of your Start menu.
3. Unwanted browser toolbars
Browser toolbars are supposed to help you, however, unless they are coming from a very well-known vendor, they are fake and could entail a hack in near future.
4. Redirected Internet searches
Did you know that hackers are paid to get your clicks to appear on someone else's website. Many a times websites don't know that clicks to their website are in fact from malicious redirection. Adding to the plight is the fact that current redirected Internet searches are securely (pun intended!) hidden from the user through additional proxies. As a result the fake results are never returned that could alert the user for future references. Fake unwanted browser toolbars could also lead to redirection.
5. Frequent random popups
Getting
random browser pop-ups from websites that don't normally generate them
can be very annoying, but that's only the tip of the ice berg. Frequent
random popups is a sure shot sign that your system has been compromised.
Bogus toolbars are also one of the primary reasons behind the same.
6. Your friends receive fake emails from your email account
Malware
programs and hackers often pull out email addresses and contact lists
from your social media sites such as Facebook, to send malicious emails
to your email contacts. However, in taking the social media route,
hackers get a very incomplete list of your contacts' email addresses.
However, these bogus emails won't have your email address as the sender.
If such a case arises, you're computer is safe.
7.Your online passwords suddenly change
You
might have responded to an authentic-looking phish email that
purportedly claims to be from the service that ends up with the changed
password. In this way, the hacker will gain your logon information,
change the password and use the service to carry out his vested
interests.
8. Unexpected software installs
Most
current malware programs are Trojans and worms, and they typically
install themselves like legitimate programs. It must be noted that the
unwanted software is legally installed by other programs, so its highly
advisable to read your license agreements carefully.
9.Check System Integrity Checker in Windows
Now that we know something is awry on our system, let's delve a bit deeper to see if we can identify it. Very
often, malware will embed itself into the system files which would
explain why the AV software couldn't detect or remove it. Microsoft
builds a system integrity checker into Windows called sfc.exe
that should be able to test the integrity of these system files. From
Microsoft's documentation, it describes this utility saying:
"System
File Checker is a utility in Windows that allows users to scan for
corruptions in Windows system files and restore corrupted files."
The
idea here is that this tool or utility checks to see whether any
changes have been made to the system files and attempts to repair them.
Let's try it out. Open a command prompt by right-clicking and choose Run as Administrator. Then type the following command (make sure to press Enter afterward).
sfc /scannow
As you can see from the above screenshot, the malware remains hidden even from this tool.
10. Your mouse moves between programs and makes correct selections
Mouse
pointers moving randomly might usually be due to hardware problems.
However, if the movements involve making the correct choices to run
particular programs, take note that something is fishy.
11. Your bank account is missing money
Usually
begins by your computer being compromised stemming from a response to
some fake phish from your bank. The hacker logs on to your bank, changes
your contact information, and transfers large sums of money.
12. Your antimalware software, Task Manager, or Registry Editor is disabled and can't be restarted
12. Your antimalware software, Task Manager, or Registry Editor is disabled and can't be restarted
You
didn't disable your antimalware software but find it disabled. Further,
your start Task Manager or Registry Editor won't start, start and
disappear, or start in a reduced state. All these are definite signs
you've been compromised.
13.Check Network Connections with WireShark
If we
can install a third-party software for analyzing the connections to our
computer, we may be able to identify the communication to and from our
computer by some malicious entity. The perfect piece of software for
this task is called Wireshark
Wireshark
is a free, GUI-based tool that will display all the packets traveling
into and out of our computer. In this way, we might be able to identity
that pesky malware that is using up all our CPU cycles and making our
system so sluggish.
Since Wireshark is an application and not part
of the Windows system, it is less likely to be controlled and
manipulated by the malware. Click on you active interface and you should see a screen open like that below.
Wireshark then can capture all the packets traveling to and from your system for later analysis.
The key here is to look for anomalous packets that are not part of your "normal" communication. Of course, it goes without saying that you first should have an idea of what is "normal."
If you haven't looked at your normal communication, you can then filter packets to only look at a subset of all your communication. As attackers often use high number ports to evade detection, you can filter for, say ports 1500-60000. If you have malicious communication taking place, it will likely appear in that port range. Furthermore, let's just look for traffic leaving our system to see whether the malware is "phoning home" on one of those ports.
We can create a filter in Wireshark by typing it into the Filter window beneath the main menu and icons. Filters in Wireshark are a separate discipline entirely and beyond the scope of this article, but I will walk you through a simple one for this purpose here.
In this case here, my IP address is 192.168.1.103, so I type:
ip.src ==192.168.1.103
This filter will only show me traffic FROM my system (ip.src). Since I also want to filter for ports above 1500 and below 60000, I can add:
and tcp.port > 1500 and tcp.port < 60000
The resulting filter will only show me traffic that meets all of these conditions, namely, it should be:
- Coming from my IP address (ip.src == 192.168.1.103)
- Coming from one of my TCP ports above 1500 (tcp.port > 1500)
- Coming from one of my TCP ports below 60000 (tcp.port < 60000)
Now the key is to look for unusual traffic here that is not associated with "normal" traffic from your system. This can be challenging. To identify the malicious traffic, you will need to type the unknown IP addresses that your machine is communicating with (see the IP addresses in the box) into your browser and check to see whether it is a legitimate website. If not, that traffic should be immediately viewed with some skepticism.
Detecting whether your computer is infected with malware is not necessarily a simple task. Of course, for most, simply relying on antivirus software is the best and simplest technique. Given that this software is imperfect, some of the techniques outlined here may be effective in determining whether you have really been hacked or not.
