Bud Boy Tech

Have I been hacked? Uh, yeah, I'd say so.

"Has my computer been hacked?" is a question that I hear relatively frequently in the IT support business. Unfortunately, most "hacks" are not nearly as ovbious as a web page stating that you have been hacked with some weird arabic text scrawled underneath. In fact, if you fear that a real hacker has compromised your system, you either need to go out and hire someone with a whole lot of experience in uncovering rootkits or re-install your operating system. However, the vast majority of people don't need to worry about a dedicated hacker trying to compromise their system, and if you are just an average Joe wondering if you can safely enter in that credit card on your computer, this article might just be of some help.

Before we start figuring out if your computer has been hacked or not, we need to define exactly what we mean by "hacked". There are a lot of definitions of hacker and hacked, most of which don't apply to what the common person thinks of when they say they have been hacked. Our definition of hacked will be, "Your computer has been compromised by some sort of malicious software which could send sensitive information/become a zombie/slow down your computer."

Pink unicorns, just like malicious software, could be hiding somewhere

Now, before we move on, please understand this: There is no way, outside of reinstalling your operating system, that you can be absolutely sure that your computer is not harboring some sort of malicious program. This is because it is impossible to verify that something is not there, it is only possible to give a probability of it not being there. Science is of course very certain that flying unicorns don't exist on earth, but since we can't look everywhere at once there is a possibility that pink unicorns are just very good at hiding. That same principle applies to computers for the average person.

Some of things I talk about will be useful for any operating system, but since most people in the world run Windows XP or Vista, I will focus on those operating systems. Also, I am not going to be giving step by step instructions on how to use the tools I talk about. This article is assuming some decent knowledge of operating systems, applications and networking. If you have specific questions for me, please feel free to leave a comment and I will respond.

OKAY, enough of the preamble, let's get on to the good stuff!

Why do you think you were hacked?

The first thing we have to do, is examine just why you think that you have been hacked? Is it because your computer has been slowing down, or did you download something that after thinking about it seems shady? This step is very important, because it can really help narrow down where you need to look or what type of instrusion to look for. For example, if you downloaded a supposed tool to help you track UPS shipments, you very likely downloaded the Anti-Virus 2009 trojan.

Boot CD's & Virus Scans

In my opinion, the first step to take if you think your computer has been compromised, is to run a virus scan. But I don't want you to run just any type of virus scan, I want you to boot into a live CD and run the virus scan from there. A live CD, or bootable CD, is an entire operating system that is run entirely from the CD. The reason for using a boot CD is that running the virus scan from a CD means that your compromised operating system won't get in the way, it means that the virus can't detect the scan beginning and run away. My boot CD of choice for running a anti-virus scan would be Ultimate Boot CD for Windows. Go there, follow the instructions and boot your computer up with it. You should be at home with the interface if you have ever used Windows XP. Once booted up, just start up the anti-virus scan of your choice and go make a cup of coffee (or two!). With the scan completed, take a look at the scan results. Did it find anything? If so, Google those viruses/trojans and see if there is any other way to check to ensure that they are gone.

Once you have completed the boot CD anti-virus scan, boot back up into your computer. If you were originally having issues with the computer being slow, has it gotten better now? If no, then there is probably something still on your machine. If yes, there could still be something on your machine, but the evidence isn't pointing to it at this point. For 99% of users, they really don't care about security and just want their PC to work like it used to. If you are in that 99% and your PC is working like normal, stop reading. If you are in the 1% and really want to do a thorough job, read on!

At this point, your anti-virus scan either found and removed a bunch of crap, or it didn't find anything at all. Now, just because it found and removed a bunch of malware doesn't mean your computer is out of the woods. And just because the anti-virus software didn't find anything doesn't mean that you aren't infected. Another good step at this point, would to be run some other anti-virus scans on your machine. So if you ran AVG first, try running ClamAV from a Linux boot CD or *insert anti-virus here*. Anti-virus software is all different, and some can detect and remove malware that other ones can't. It is a good idea to run a whole bunch of them to ensure that your bases are covered.

A kickass piece of software from Microsoft?!?!

So, now we have run at least two different anti-virus scans on our computer. At this point, things get a little bit more in-depth. An extremely useful tool at this point would be Microsoft's Strider GhostBuster software. If Bruce Schneier likes GhostBuster, that's good enough for me. Just look at how secure that beard is!The idea behind GhostBuster is pretty kickass. Instead of looking for malware by looking at a file and seeing if it matches a known profile of malware, it uses malwares most annoying trait against it. You see, malware is doing all sorts of stuff in your system while you are using it. It is making changes to the registry and doing its best to hide from any virus scans that come along. GhostBuster uses malwares primary defense mechanism against it. What you do is run a initial scan with GhostBuster, and it will look through your computer. Then, you boot up with a special GhostBuster boot CD and it does another scan. If it notices differences, it will immediately know that there is something very fishy going on. If the tool doesn't find any differences, you are most likely in the clear, and you can go back to computing Nirvana!

When to give up & reformat

If it does find a difference, it might give you some clues as to where the rootkit is hiding, but will not remove it. If it does find something, I would recommend backing up important documents, and then reinstalling your operating system.

Disappointing? Yes. Most time effective? Absolutely.

Quite simply, there is a point where it is just easier to backup your data (you were already doing that anyway, right?) and then reinstall. If there is a rootkit on your home PC, and anti-virus scans couldn't find it, it is almost certainly easier to reformat and install XP or Vista again. A operating system install only takes a few hours from start to finish, tracking down a rootkit is much harder technically and will take a much longer amount of time. Sorry :(