Recover a Compromised System

If your computer has been compromised it needs to be returned to a trusted state. Trusted state is a requirement for access to the S&T network. The idea of "cleaning" a system is not realistic, especially in the case of a system compromise, as there is no reliable way to determine if the system has been completely cleaned.  To return a computer to a trusted state requires reformatting the hard drive and reinstalling the operating system.  If your computer has not already been disconnected from the network then do so before taking any of the following steps.


Backup Data

Before reformatting the hard drive, back up important files. As a rule of thumb, only backup data files (word processor documents, pictures, presentations, etc.).  Backing up program files and directories is not recommended because applications can be modified to reinfect the system.


Wipe, Reformat and Reinstall

Wiping and reformatting the hard drive is necessary for two reasons. First, installing Windows over an existing file system does not overwrite every file which can result in the system still being compromised. Second, boot sector viruses are used to reinfect systems that have been reinstalled. It is necessary that the boot block and the file system are  both  overwritten. A reliable way to ensure this has been done is to wipe the hard drive. An example of a hard drive wiping tool is dban.

After the operating system has been reinstalled it needs to be configured to automatically download and install updates. All operating systems need this: none are immune from bugs. To minimize the chance of being compromised before getting patches installed it is imperative to install as many patches as possible before reconnecting the computer to the network. Microsoft facilitates this by providing service packs. Download the latest service pack using a different computer and move it to the reinstalled system via CD or flash drive.

The need to patch extends to all applications, especially those that either offer a service to the network (such as a web server or database server) or process files obtained from the Internet (such as Adobe Reader or Adobe Flash).

 

Windows Restore Points

 

Windows provides some conveniences that are very attractive alternatives to a complete reformat and reinstall procedure. However they are not effective when it comes to the remediation of a compromised system. For example, the system restore points are a good way to recover from a bad driver installation, but do nothing for virus infections. The reason is that a system restore point is neither a complete snapshot of the system nor protected from malicious changes being only a copy of a limited set of system data. The restore point does what it was intended to do (recovering from bad drivers or system settings), but nothing more.

 


Passwords and Financial Information

A compromised system often has a key logger installed. Key loggers are usually used to steal passwords and bank account information, but in general can be used to let someone else know everything you type. It is highly recommended that you change your S&T password, as well as any password used to access sensitive, confidential, or financial information. It is also highly recommended to put a credit watch on any financial accounts that may have been compromised.

If S&T Security has determined that there was a key logger installed, changing your S&T password is mandatory.


Avoiding Reinfection

The best way to avoid these problems is a combined approach.

  1. Be skeptical.  If something sounds too good to be true, the odds are very good it is. There is no such thing as a free lunch: if you aren't paying for it then there will still be a cost. With open source software that cost may simply be no support, a model sometimes used by companies when they make a free version of their paid-for product. Always be sure you know what the cost is -- if you can't find a cost it is most likely malicious. It might be spyware, steal passwords and credit card information, conduct fraud through your system or something else.
  2. Run antivirus software and keep it updated.  Antivirus software will give a warning about what is detected and can keep some viruses off the system. Use mainstream, well known, antivirus programs. Some "greyware" antivirus applications function as spyware and, in the extreme case, there are malware programs that pose as antivirus.
  3. Keep the computer up to date on patches.  Whether it is a Linux, Macintosh, or Windows system it needs to be kept up to date on security patches. The most reliable way to do this is to configure the operating system to automatically download and install patches. A fully patched system is still vulnerable either due to an unpatched vulnerability or user action, but it helps significantly in reducing the impact of common attacks.
  4. Avoid toolbars and other unnecessary programs.  Not all toolbars are malicious, but many of them are and none are necessary. Because it is difficult at best to tell before hand just how malicious an application is going to be the best thing is to simply not install anything that is not necessary. If it is a free application consider how they are making their money and realize that just displaying advertisements does not make enough money to pay for development, much less the marketing that led you to the application.
  5. Do not open unknown files.  Whether it came over IM from a friend, was downloaded from a website, or acquired via P2P be certain that you know what the file actually is. A lot of infections spread by sending a disguised file to everyone in the IM contact list -- verify that your friend actually sent the file. Evaluate the risk of a downloaded file: for example a video downloaded from YouTube is less likely to be a problem than a video from a site you've never heard of. It is common practice to embed a virus in a video file by making it a precondition for viewing.
  6. Use a better browser.  Make sure your browser has an ad blocker. If feasible, disable javascript (on FireFox, the NoScript extension provides a lot more flexibility than the normal on/off). Stick with major browsers such as FireFox, Chrome and Safari. For NoScript, recommended starting point is to deny all sites by default other than mst.edu and other Missouri university system domains. You can use the advanced settings to forbid META redirections that prevent some sites from working without scripts.
  7. Consider using virtual machines.  If you have virtual machine software, such as VMWare, then you may want to consider running everything in separate virtual machines. This works best if the host operating system is not used for anything other than hosting the virtual machines and is only really meaningful if the virtual machines are kept completely isolated from one another. If you do all online banking in one virtual machine and general web browsing in another it is less likely that a compromise of the web browsing virtual machine will compromise your financial information.