It seems like every day now that we see a new headline on a cyber security breach. These headlines usually involve millions of records being stolen from some large financial institution or retailer. What doesn't reach the headlines are the many individual breaches that happen millions of times a day, all over the world.
In previous articles, I've shown you how to create stronger passwords and how to prevent your home system from being compromised, but people are always asking me, "How can I tell if my system has already been hacked?"
The answer to that question is not simple. Hacker software has become so sophisticated that it is often hard to detect once it has become embedded in your system. Although antivirus/anti-malware software can often be effective in keeping your system from being infected, in many cases, once it has become infected, the software can't detect or remove the infection.
The reason for this is that the best malware embeds itself in your system files and looks and acts like part of your key Windows system files. Often, it will replace a system file with itself, keeping the same file name and functionality, but adding its own functionality. In this way, it looks and acts similarly to the necessary system file that your operating system needs to function properly, only the additional functionality gives a remote hacker access to your system and system resources at their will.
Although we are familiar with the idea that hackers might be seeking our credit card numbers, bank accounts, and identity, some hackers are simply seeking the use of your computer. By infecting thousands, even millions, of computers around the world, they can create what is called a "botnet."
A botnet is simply a network of compromised computers controlled by a single command and control center. I estimate that 30 to 50% of all consumer-level computers are part of one botnet or another.
This botnet can be used for many seemingly innocuous activities and many more malicious ones. Botnets can be used to send spam, crack passwords, conduct distributed denial of service (DDoS) attacks, etc. In all cases, they are using system resources that are not available to you. You will likely detect your own system running sluggishly or erratically.
Let's take a look at how we can detect if such a security breach has taken place on YOUR system.
NOTE: While antivirus and anti-malware software can differ in what they detect, I'll be referring to both collectively as antivirus (or AV) throughout this article. It's good to make sure you have one that detects both viruses and malware including trojans, worms, spyware, rootkits, keyloggers, etc.
There are many pieces of good antivirus software on the market. The problem is that even the very best will not detect over 5 to 10% of all known malware. Then, there is the unknown malware that comes out every day. Hackers are always developing new software, usually variants of existing malware, but different enough to evade the signature detection of these software developers. In these cases, your AV software is useless.
Despite this, I still recommend that you buy a reputable brand of AV software and keep it up to date. Those updates are critical as they represent the signatures of the new hacking software that is found in the "wild." Enable this software to do "active detection" and response, as once the malware has embedded itself on your computer, it is sometimes impossible to detect and remove.
Although it's hard for the average consumer to evaluate AV software and every software developers claims to be the best, there is a objective laboratory that does evaluate the effectiveness of AV software. It's known as the Virus Bulletin and you can see its results here. The chart below is from their latest results evaluating numerous software. As you can see, AV software is NOT created equal.
In the two systems I will use in this article, both had been through a deep AV scan of the entire hard drive. In both cases, no malware or viruses were detected, but I was still suspicious of infection.
The first thing to check when you suspect that you have been hacked is your Windows Task Manager. You can access it by hitting Ctrl+Alt+Del on your keyboard and selecting Task Manager at the bottom of the menu that pops up, or just type Task Manager in the run line of your Start menu.
When you open the Task Manager and click on the "Processes" tab, you should get a window similar to the one below. Note at the bottom the CPU usage. In this infected machine, the system is sitting idle and CPU usage is spiking near 93%! Obviously, something is going on in this system.
Below, you will see the same Task Manager on an uninfected system. With the system idle, CPU usage is under 10%.
Now that we know something is awry on our system, let's delve a bit deeper to see if we can identify it.
Very often, malware will embed itself into the system files which would explain why the AV software couldn't detect or remove it. Microsoft builds a system integrity checker into Windows called sfc.exe that should be able to test the integrity of these system files. From Microsoft's documentation, it describes this utility saying:
"System File Checker is a utility in Windows that allows users to scan for corruptions in Windows system files and restore corrupted files."
The idea here is that this tool or utility checks to see whether any changes have been made to the system files and attempts to repair them. Let's try it out. Open a command prompt by right-clicking and choose Run as Administrator. Then type the following command (make sure to press Enter afterward).
As you can see from the above screenshot, the malware remains hidden even from this tool.
If the malware on our system is to do us any harm, it needs to communicate to the command and control center run by the hacker. Someone, somewhere, must control it remotely to get it to do what they want and then extract want they want.
Microsoft builds a utility into Windows called netstat. Netstat is designed to identify all connections to your system. Let's try using it to see whether any unusual connections exist.
Once again, open a command prompt and use the following command.
Since a piece of malware embedded into the system files can manipulate what the operating system is actually telling us and thereby hide its presence, this may explain why nothing unusual showed up in netstat. This is one more indication of how recalcitrant some of this malicious malware can be.
If we can install a third-party software for analyzing the connections to our computer, we may be able to identify the communication to and from our computer by some malicious entity. The perfect piece of software for this task is called Wireshark.
Wireshark is a free, GUI-based tool that will display all the packets traveling into and out of our computer. In this way, we might be able to identity that pesky malware that is using up all our CPU cycles and making our system so sluggish.
Since Wireshark is an application and not part of the Windows system, it is less likely to be controlled and manipulated by the malware. You can download Wireshark here. Once it has been installed, click on you active interface and you should see a screen open like that below.
Wireshark then can capture all the packets traveling to and from your system for later analysis.
The key here is to look for anomalous packets that are not part of your "normal" communication. Of course, it goes without saying that you first should have an idea of what is "normal."
If you haven't looked at your normal communication, you can then filter packets to only look at a subset of all your communication. As attackers often use high number ports to evade detection, you can filter for, say ports 1500-60000. If you have malicious communication taking place, it will likely appear in that port range. Furthermore, let's just look for traffic leaving our system to see whether the malware is "phoning home" on one of those ports.
We can create a filter in Wireshark by typing it into the Filter window beneath the main menu and icons. Filters in Wireshark are a separate discipline entirely and beyond the scope of this article, but I will walk you through a simple one for this purpose here.
In this case here, my IP address is 192.168.1.103, so I type:
This filter will only show me traffic FROM my system (ip.src). Since I also want to filter for ports above 1500 and below 60000, I can add:
and tcp.port > 1500 and tcp.port < 60000
The resulting filter will only show me traffic that meets all of these conditions, namely, it should be:
- Coming from my IP address (ip.src == 192.168.1.103)
- Coming from one of my TCP ports above 1500 (tcp.port > 1500)
- Coming from one of my TCP ports below 60000 (tcp.port < 60000)
When I type all of this into the filter window, it turns from pink to green indicating my syntax is correct like in the screenshot below.
Now click on the Apply button to the right of the filter window to apply this filter to all traffic. When you do so, you will begin to filter for only the traffic that meets these conditions.
Now the key is to look for unusual traffic here that is not associated with "normal" traffic from your system. This can be challenging. To identify the malicious traffic, you will need to type the unknown IP addresses that your machine is communicating with (see the IP addresses in the box) into your browser and check to see whether it is a legitimate website. If not, that traffic should be immediately viewed with some skepticism.
Detecting whether your computer is infected with malware is not necessarily a simple task. Of course, for most, simply relying on antivirus software is the best and simplest technique. Given that this software is imperfect, some of the techniques outlined here may be effective in determining whether you have really been hacked or not.