Common signs of compromised system and ways to fight back

In today’s spectrum of possible threats, AV engines are something that gives us relaxation. However, such scammers are horrifically inaccurate especially when the exploits are 24 hours or more. Hackers always try to change their tactics. So, any previously recognized malware could be unrecognizable with a swap of few bytes around.

What you should do in such a case is to drop the suspected applications on the Google’s VirusTotal that has 60 + anti-malware scanners to see the detection rates are not all that is advertised.

To combat this situation, many AV tools monitor programs’ behaviors and others use virtualized environments, system monitoring, network traffic detection and all of the above for the accuracy. Still, if they fall, you must know how you can spot malware infection. Here, with this article, we are providing 15 signs that tell you about your PCs have been hacked. Also, you will be guided how you should fight back in such situations.

Common signs of infection

  • You receive a ransom note
  • You see a fake antivirus message
  • You have unwanted browser toolbars
  • Redirection to Internet searches
  • Random pop-ups
  • Your friends receive some type of invitations from your social media accounts without your actual doing this
  • Online password is not working
  • You observe unexpected software installs
  • The mouse moves between programs and make selections
  • Crucial Antivirus tools, Task Manager or Registry Editor gets disabled
  • Financial loss from your account
  • Notifications claiming about systems hack
  • Confidential data leakage
  • Credentials are in a password dump
  • Strange network traffic patterns

 Compromised systems become no trustworthy. You need to fully restore the system. Earlier, this meant as formatting the computer and restoring all programs and data. But today, it might simply mean just clicking on the Restore button. Below mentioned guides will help you recover from all situations aforementioned, however, fully restoration of the system is always recommended.

  1. You receive a ransom note

This is one of the worst messages that users see on their computer screen. The message tells about data encryption has taken place on their system, rendering all the files inaccessible. The users are demanded certain amount of money to unlock them. Small businesses, large businesses, hospitals, police stations and entre cities are being brought to the halt by this infection. Above 50% victims submit the payment thinking that it is not going away anytime soon. Payment is however, not the solution as most of the victims end up with many days of downtime and additional recovery steps even if they submit the payment.

The way you should react in this situation – You should look for some good, reliable, tested, offline backups. You are taking a risk of you have not a good, tested backups that are inaccessible to malicious intruders. If you are using file storage cloud service, it has probably had backup copies of your data. However, not all cloud storage services have the ability to recover from ransomware attacks and some services don’t cover all files types. Sometimes, tech support can help in files recovery. Lastly, several sites may help you in files recovery without paying the ransom. They figure out the shared secret encryption or some other way to reverse-engineer of the ransomware.

  1. You see a fake antivirus message

A pop-up appears on the computer telling about system infection. The main reasons of occurrence of such pop-up messages are the system got compromised or it is compromised beyond the pop-up message.

What you should do – just close the tab and restart your browser, if you are lucky enough you will find everything is set. Sometimes, restarting the browser reloads the original page that forced the fake ads. In such cases, you require restart the browser in incognito mode as you can browse to a different page and stop the fake AV message from appearing. In worst scenario, such AV messages have compromised your computer. If this is the case, you need to save everything and then restore the system to the previous known clean image.

Note: A related scam is tech support scam. In this, browser pop-up message says your system has been compromised and asks you to call on the provided number to get technical support help. Often, such warnings claim to be from Microsoft or Apple if you are using it. The scammers ask you to install a program that later on provides remote access to them. They will then run a fake AV scan that not surprisingly finds a lot of issues. You are then requested to pay them certain amount of fee for the app to be fully functional. Luckily, this type of scam can usually be defeated by rebooting the system or closing the browser program and avoiding the website that hosted it on upon you.

  1. You have unwanted browser toolbars

You could see multiple new toolbars that appear to supposedly help you.  This is common sign of exploitation. You must require dump such bugs toolbars, unless you recognize the toolbar as coming from well-known venders.

 What you should do – Most often, people are allowed to review installed and active toolbars by browsers. They can remove them if they do not want them. When you have any doubt, just remove it. If the bogus toolbar is not listed there or you can’t easily remove it, see if the browser has an option to reset t he browser back to its default settings. if this does not work, follow the instruction listed in the how to deal with fake antivirus messages.

  1. Redirection to Internet searches

Many hackers get monetized by redirecting you to unwanted pages, get paid by clicks appear on someone else’s website. They often have no idea that the c licks to their sites are from malicious redirection. To stop this type of infection, type a few work like puppoy or goldfish into the internet search engine and check whether the same website appear in the results – in almost all cases, the results are no way relevant to the searches.

If general, bogus toolbars cause such redirects. Technical users who want to confirm can sniff their browser or traffic. The traffic sent and returned will always be distinctly different on the compromised computer and on an uncompromised computer.

What to do- you should see the recommendations provided on how to remove bogus tools. Also, if on a Microsoft Windows computer, check C:\Windows\System32\drivers\etc\hosts file to see if there are any malicious looking redirections configuration within.

  1. Random pop-ups

When you are receiving random pop-ups from websites that normally do not generate them, this is an indication of your system got compromised.

What to do- You should get rid of all bogus toolbars and other programs if you are constantly seeing pop-ups on random sites. Typically, these previous malicious mechanism noted above generate these pop-ups

  1. Your friends receive some type of invitations from your social media accounts without your actual doing this

Many of us have seen this once before that there is an invitation “be a friend” to the one who is already a friend on the social media platform. In such cases, we start thinking about why are they inviting me again? Did they unfriend me earlier on the social media site and now they are re-inviting me. Then the friend’s social media site might be devoid of other unrecognizable friends and all earlier posts deleted. Or it could be the case, the friend is contacting you to find out why you are sending out a new friend requests. Here two possibilities arise – either the hackers control your social media site and has created second near look-a-like bogus page or you or the friend has installed a rogue application.

What to do – Firstly, warn other friends not to accept the unexpected friend request. Next, if not the first, contact the social media site and report the site or request as bogus. You can find the way to how to report bugs requests through searching on the online help. Often, it is an easy task – clicking one or two buttons is required to complete the process. If the social media site is truly hacked, you will need to change your password.

We advise you to not to take time on changing to Multi-factor authentication. This way rogue apps cannot easily steal and take over your presence on social media. Lastly, be careful when downloading and installing any social media applications. You should inspect he installed app associated with your social media account/page and remove all but the ones that you wish to download.

  1. Online password is not working

If you’re typed in passwords correctly and then find it is not working, it is likely that a rogue hacker has logged in using your password and changed it to keep you out. However, you should not hurry to get into this result as in many cases, what we have observed is various technical difficulties not let valid password for short time. So, you should try again after 10 to 30 minutes and even then you find the same issue, it is likely that the previous case is true.

In a scenario, victims responded to an authentic looking phishing email that purportedly claims to be from the service. The malicious actors use it to collect the log-in information, logs on, change the password and use the services to steal money from the victims or the victims’ acquaintances.

What to do – Firstly, notify all your close contacts about your compromised account. This will minimize any damages to other due to your mistake. After this, contact the online service to report the compromised account. Most online services now have easy methods or email contact addresses to report about compromised accounts. If you report about the compromised, the service will help you restore the legit access.

  1. You observe unexpected software installs

Unwanted and unexpected software installation is a sign of system being compromised. In earlier days, most programs were computer viruses that modify other legit programs so as to hide themselves on the system. Most malware of these days are Trojans and worms that typically install themselves as legit programs.

What to do – There are several apps that let you see all installed apps and disable the wanted ones.   Autoruns or Process Explorer is one of such checkers provided for free. This Microsoft based application will tell you the ones that automatically start themselves when the system is restarted (Autoruns) or the ones currently running (Proces Explorer).

Most computer malware can be found embedded in much larger list of legitimate running programs. The hard parts help you to determine what are legit and what not. You can enable the Check options to get known which ones it thinks as malware. When in doubt, disable all unrecognized programs, reboot the device and re-enable the program only if some needed functionality is no longer working.

  1. The mouse moves between programs and make selections

Pointer moves while making selections that work indicates system infection. Such issues arise most often due to hardware problems. If the movements involve making choices to run certain programs, there will be the higher chance some bad actors involvement behind it. The technique they could use is no way common as some other attacks. They will break into a computer, wait for it to be idle for the long time and then try to steal your money. They will break bank accounts, transfer money, trade your shoes and do all sort of rogue activities.

What you should do – You should come alive one particular night and take a moment before turning it off to determine what actually the intruders are interested in. It will be useful to see what they are looking at and trying to compromise. Take a few pictures to document to their tasks. When it makes any sense, power of the computer, unhook it from all networks and call the professionals.

Using another computer, change your logons names and passwords and check the bank account transaction histories, stock accounts and so on. If you have been a victim of the attack, completely restore the computer. If you have lost money, let the forensics team make a copy of this and call law enforcement and file a case.

  1. Crucial Antivirus tools, Task Manager or Registry Editor gets disabled

If you notice that AV software gets disabled, you are probably exploited – especially when you try to start Task Manager or Registry Editor and are not able to start or they start and disappear or start in a reduced state.

What to do – You require performing full system restoration here because there is no telling what has happened. If you try something less drastic first, try running Microsoft Autoruns or Process Explorer to root out the malicious programs causing the problems. They will usually identity problematic program and provide you an option to uninstall or delete it.

In case, the malware fights back and won’t let you easily uninstall it, find on internet various methods to restore the lost functionality and then restart your computer in Safe Mode and then follow the procedures suggested to you from the results on search engine.

  1. Financial loss from your account

Bad guys don’t usually steal a little money. They demand everything or nearly everything, often to a foreign bank exchange or bank. It begins with system getting compromised or yours responding to some fake phish from your bank or stock trading company. The bad actors logon to the account, change the contact information and then transfer large sum of money to themselves.

What you should do – Most financial institutions will replace the stolen funds. However, there have been the cases when courts have ruled that it is the duty of customers to take care of their accounts and prevent them from being hacked and it is up to the financial institutions to decide whether they want to make restitution or not.

To prevent this thing from happening, you should turn on the transaction alert that sends text alters to you when something unusual is taking place. Many financial institutions offer you to set thresholds on transaction amounts and if this threshold is exceeded or it goes to a foreign country, you will be warned. Unfortunately, many a time, bad actors reset such alerts or the contact information before they steal the money. So, you should make ensure you financial or trading institution sends you alerts anytime your contact information or altering choices are changed.

  1. Notifications claiming about systems hack

Data Breach Investigations Report has revealed that more companies are noticed that they were hacked by unrelated third parties than organizations that recognize their own companies. Microsoft revealed in 2019 that it has detected notion-state attacks against over 10,000 of its customers since the beginning of the year.

What to do – Figure out whether your device is truly hacked. Make ensure that everything slows down until you confirm that you have been compromised. If confirmed, follow the predefined incident responses plan.  If you have, then ok or, otherwise make one now and practice with stakeholders. You should make ensure that everyone knows that you IR plan are thoughtful plan that must be followed. You must not want anyone going off their own hunting parties or anyone inviting more people to the party. Your biggest challenge would be having people follow the plan in an emergency.

  1. Confidential data leakage

When hacked, your organization’s confidential data would be on dark web. If you didn’t notice it first, you will be informed by media and other interested stakeholders.

What to do– Firstly, you should find out whether it is true that your confidential data out there. In more than a few cases, hackers claim to have compromised a company’s data but in reality they didn’t have anything confidential. In case, your organization’s data really compromised, it is time to tell senior management, begin the IR process and figure out what needs to be communicated to when and when. In many countries and states, there requires a legal report about compromised data within 72 hours. Within the time, if you are not able to confirm the leak or how it happened, it goes without saying that you need to get legal involved.

  1. Credentials are in a password dump

Billions of valid logon credentials are on the dark web that are compromised by phishing malware or website database breaches. Usually, you will not be notified by third parties in such case. You have to proactively look out for this sort of threat. The sooner you know the better for you.

To check whether your credentials got compromised at a time, you can take help various websites like “Have I Been Pwned”, check multiple accounts using various free open source intelligence tools like Harvester, free commercial tools as Password Exposure test or any other commercial services.

What to do– After confirmation about the compromised, reset all your logon credentials, start an IR process to see if you can figure out how your organization’s logon credentials go out the company. Also, use MFA.

  1. Strange network traffic patterns

Many a time, compromise is first noticed by strange, unexpected network traffic patterns. There could be a bad DDoS attack against your company’s web servers or large, expected file transfers to the sties on countries you are no way interact to in the business. If you want the company understand their legitimate network traffic patterns, it would be less need of a third party to tell they are compromised. It is good to know that most of the services in your company don’t talk to other servers in your company. Most servers in your company don’t talk to every workstation in your company and vice-versa. The workstations in your company should not be using non-HTTP/non-HTTPs protocols to talk directly to other places on the Internet.

What to do– If you see unexpected, strange traffic, it is probably best to kill the network connection and start an IR investigation. There was a time, when we probably would have said to err on the side of operation caution. Now, at today, you cannot take any chance. Kill all suspicious transfers until they are proven legitimate. If you don’t understand the valid network traffic, dozens of tools are available for you to better understand and document your network traffic.

Precaution is necessary

You cannot 100% rely on any AV tools. You must require paying close attention for all the common signs and symptoms on your computer of being hacked. If you are risk-adverse, you should perform a complete system restoration with the event of a breach. As the hackers can do anything and hide anywhere, it is better to just start from scratch.