Reg Asks Jack For Help

by jminto on January 12th, 2010

How do I know if my computer’s been hacked? There are many different ways to determine if your computer is hacked.  There are a large number of experts offering their opinion on the question.  Practically speaking you do not need opinions.  You need something definitive.

A personal favorite are old indicators from Kevin Mandia.  At Black Hat 2005, when Mandiant was still called Red Cliff Consulting, he reported these indicators:

  • System crashes
  • Continual termination of Antivirus Software
  • New applications do not install
  • Commonly used applications do not run
  • You cannot “Save As”
  • Task manager closes immediately when you execute it
  • Task manager fails to operate properly

These indicators were culled from countless engagements undertaken by Kevin Mandia’s company.

Why are five year old indicators listed here? Because it’s just as true now as it was then.  We are two versions removed from XP at the time and the Task Manager is still in play.  Hackers still and always will target vulnerabilities in operating systems and computer programs that cause them to crash.  Hackers also do not want anti-virus software to detect them, so they try to hide themselves – which doesn’t work too well sometimes.

This all seems anecdotal though.  How do I tell a hacker apart from a failing hard drive?  Research is the typical answer.  Investigating the symptoms surrounding the above indicators will reveal the answer.  That is why it is very important to report errant behavior to someone that can help you.  For example, report the problems to the company’s System Administrator or the kids at home (be realistic, they’re the real computer authorities in your house).  This still isn’t definitive and is perhaps more frustrating to some (not everyone has a computer expert they can rely on).

That’s where an IDS comes into play.  An IDS is an Intrusion Detection System that monitors networks to identify hackers.   The IDS can see the traffic leaving computers and identify it as benign or malicious.  More germane to this article, the IDS can identify exact traffic that indicates a computer has been hacked.  Hacker software has tell-tale since that definitively expose their activity.

It is fun to be an IDS Analyst and have a conversation with a “smart” System Administrator.  “My computer is not hacked.  It is operating just the way it is supposed to.”  Unbeknownst to them, the analyst can see the entire of contents of the computer in question fly across the network.

No related posts.

└ Tags: , , ,