These are the thoughts of a security guy compiled into what I hope will be a non boring edition. If people care they can find all the advice in the universe – passwords, software etc. Once that fails on you its a different space.
Once you think you are already hacked and you find this you are looking for ideas rather than same old el-standero advice. Which may be good advice but hardly much help. If you are in this concerning place you might need a more light hearted and less technical post to read – yet with some creative solutions at the end.
Reverse engineering being hacked:
First – take stock by turning your computer off and formulating a plan. I’m assuming you feel that you have been compromised and things were getting worse.
What is the worst that can happen
- You might get wiped completely
- Ransomware – your drive gets encrypted so its like the data is gone unless you pay the extortion
- Your OS is so infected that you can’t really use it to clean itself because the tools are too resilient and just keep replacing themselves or damaging the system so you can’t remove them.
How long is it going to take to get back to where I was?
Do you have backups that are relatively current? Maybe you can backtrack to before you feel you got hacked – but even that may seem as though some files or changes might be lost.
You aren’t sure what backups you have, or if they work, where they are. You really just want to turn the computer back on right now and soldier on with that anti-virus, anti-malware which has already failed you. Yes, in the past I was often able to remove an infection with a different product … but these days it gets more difficult.
Ratting is related to RAT or Remote Access Tool – like a remote support tool except for the purposes of stopping you from fixing and stealing your secrets or doing bad things. Some of these tools really won’t let you get rid of them until you find every part and delete it – likely you’ll go for maintenance or safe mode. Even there it may not be possible to find where its hiding.
Its time to face the ugly – its time to reinstall your system. You can go to the stop, get a new hard disk or SSD. Maybe you don’t have “recovery ware” – that lets you install the system the way it was delivered. Laptops often ask you to make some kind of USB or DVD image.
Reinstalling your system is the only way to be sure and it is what security professionals call for. This is where you end up finding yourself in “boring land” of guides like “how to perform a clean install of your computer”
They are very positive for people who have collected everything and have backups already. If you have no backup – well the best way to make a backup is to pull your disk and clone it. If that is too hard, and that’s fine – i accept that you are probably reading this saying “oh shit, oh shit” if you’ve been hacked and the truth is dawning on you.
However, it takes mere hours to reinstall to a new drive and start to copy things over if you get the right tools. So just go to a store and find someone that has a clue. Ask them for some way of cloning a disk, can they sell you a disk/ssd? Maybe they will even put an OS (windows, ubuntu, mac) onto the disk for you so you can try to boot it? You never know how resourceful a computer store person might be – they might already have all the “pre-install” stuff ready.
If you own the memory devices you’re easily protected!
Both for manual backups before it’s too late or initiating recover activities after noticing you were hacked fast useful storage media must be on hand. You can move swiftly right away if you have very fast USB drives 150mb per second, are very cheap even at large sizes. Get several because you can’t have too many but you can certainly have too few.
Go offline (disconnect your internet) and start copying important files off while you prepare other steps. One might be a recovery image you get from the manufacturer, another might be your OS installer (bootable USB) that you make from a guide. These days your USB flash drives or SD memory cards are even accessibly pre-boot. Its certainly likely to quicker and less failure prone than that old external hard disk that you probably overloaded with music and video media.
If you just got hacked rebooting may make it worse?
Before you just reboot as if you had an app/system failure consider that being infected tends to install malware that will further install itself at reboot. If you have an Ubuntu bootable USB or a recovery media, a disk cloning utility – then you can boot into a different system so your malware is not activated. Then copy things to another location to be used for recovery of your files and settings later.
When I got infected by something very potent – using p2p apps to bypass firewalls the trap was waiting for the next reboot. It rewrote the windows registry permissions to the point that I didn’t have permission to reverse it. I had backups so I decided to fight the good fight with the stuff – like I usually would and would kill it off. I had tools to kill everything running in memory besides a few important bits.
The priority should always be to copy files over to storage, make backups if you are in “the bad” (unsure if you have backed up) or “the ugly” (you lose, time to reinstall fresh) scenarios. So I can’t advise you to do to start fighting and seeking and destroying malware by hand until you have copied everything. If you did you certainly want to be “offline” and being offline you might find you can’t do anything. So you should have a clean system to download and set up bootable media and tools. Try not to use your infected system – the downloads might become infected with virus/malware that prevents you from even starting them up.
If you reboot after things were looking grim it might trigger the next, worse phase, especially if you are online (on the internet). What you should do is find some other computer – maybe you can afford to just buy one, or borrow a laptop from family or friends so you can use it to clone your disk, make USB to reinstall or fix your OS.