18 May 2012

How do you tell if your computer is infected?

My brother recently asked me how to tell if your computer was part of a botnet. Now, I'm not a real Windows jock any more, so I don't know how much help I can be: I'm not really up on the mechanics of telling if your computer is compromised from the inside.

I can tell you, though, that it may not be practical to even try.

The problem is that if your computer has been compromised, the attacker can install components that change the behavior of tools running inside the computer. There are specific toolkits, "rootkits", that target antivirus and other security software to hide the presence of the compromising code, even modifying the running security applications so they don't see the files that the malware is hiding in. If you "run a security" and don't see anything, you still can't be sure.

The best way to tell if your computer is part of a botnet is from outside your computer. What I used to do, before virtual machines, was run an external firewall router. Since the firewall isn't inside the computer's trust boundary, it's not going to be compromised by the malware. You can look through your logs on the firewall to see connections to unexpected sites or connections when you're not actually using the computer.  These days, you can run Windows in a virtual machine, and get the same result more cheaply.

But really, for most people, you still can't be sure. It could be sleeping. It could be that you're just not familiar with reading log files.

So the best thing to do if you even suspect your computer might be infected is to back up all the data (you're keeping backups, right?) and reinstall from scratch, reinstalling any applications from the original media. Again, if you're running Windows in a virtual machine, you can roll back to the original snapshot. Even if you're not infected, this cleans up cruft and dander and leaves your computer feeling years younger with a lovely silky complexion.

I used to do that every year or so, when I was using Windows at home for more than the occasional videogame. Just because it ended up making my computer faster. Apart from the external backup drive, I kept two drives inside the system and switched which one was primary. The process: unhook the "current" drive, and install Windows over again on the "old", reformatting the drive in the install process. Now the "old" drive is "current", and the current is "old". Hook up the "old" drive long enough to copy the data off it (just the data, no applications), then disconnect it, leaving it powered off until next time. If you put your ear up against it, maybe you can hear the botnet screaming to be let out...