There are several things that the STEAM-CIRT recommends users do to prevent virus infections and other computer compromises.
1. You should make sure that your anti-virus software is up to date, and is setup to automatically update anti-virus signatures at least once a week. If you do not have anti-virus software, you may download McAfee Anti-virus free of charge from:
http://www.purdue.edu/securepurdue/download/
2. Apply security software patches and updates regularly. Windows users can use Microsoft's Windows Update Service. Apple OS X users should install security updates when prompted by "sofware update", or by visting:
http://www.apple.com/support/downloads
3. Do NOT open files sent to you in Instant Messaging or Peer-to-Peer programs. These files may contain viruses and spread through IM and P2P networks. If the system you are using is owned and maintained by Purdue University, your department IT support should be able to help you resolve this issue.
If you are reading this page, your computer has probably been reported as compromised, meaning that it is performing some illicit action that is usually associated with compromised computer. Computer compromises are generally linked to viruses, worms, Trojans, Spyware, and rootkits. For more information on why you should fix a compromised computer see "Why is it important to clean up a compromised computer?".
Determining how a computer has been compromised is not always an easy task. Many times it takes a trained systems administrator or security professional many hours to do this. This is why the STEAM-CIRT recommends that if your personal computer is reported as compromised, you should have it checked out by a professional. There are many computer repair stores in the Greater Lafayette area you can take your computer. Just look up "Computer Repair" in the Yellow Pages. If your Purdue-owned computer has been compromised, the STEAM-CIRT recommends that you take it to your departmental IT support staff.
If you would like to check your computer for compromises yourself, there are some options available to you. Please note that the STEAM-CIRT offers no warranty or support for these instructions and is not responsible for lost or damaged data. Procede at your own risk. If the computer reported as compromised is a Purdue-owned computer, please check with your IT support staff and departmental IT policies before proceding.
Often times, compromised computers are the result of Trojan horse software, email and IM viruses, and worms. If your computer has recently began acting funny, perhaps very slow where it normally does not have problems (such as opening new programs, playing games, etc.) then this is probably due to the malware running on your system. There are a variety of free and commercial software out there that you can use to locate some malware.
First, anti-virus software can sometimes detect and remove viruses and other malware from running systems. Purdue offers McAfee Anti-virus for free to its students, faculty, and staff. You can download McAfee anti-virus from:
http://www.purdue.edu/securepurdue/download/
Sometimes, anti-spyware products like Spybot S&D, and Microsoft Windows Defender can detect and remove malware from your computer as well. However, most common rootkits, and other malware is much more advanced and can hide itself from both anti-virus and anti-spyware tools.
When rootkits are used to hide malware, your best bet is to examine the computer from a bootable CD such as BartPE, or bootable Forensics toolkits like Helix Linux. For more information on using these tools, please visit their respective sites. Again, the STEAM-CIRT does not offer support or warranty for these products. Use at your own risk!
Compromised computers are a serious threat to not only your computer's security but to your personal security as well. Many viruses, spyware, and other malware have the ability to eavesdrop on your computing activities which means that an intruder could potentially gain personal and sensitive information such as passwords, bank account numbers, social security numbers, and a host of other things that could facilitate the theft your identity, theft of computing resources, and potentially anything you access on the compromised computer.
An attacker may also be able to gain further access to your computer and use it, for example to attack other users or entities, or to illegally share files; all activities which you could be held accountable for. At the very least, a compromised computer poses a threat to any other system on the Purdue University network. Failure to take proper care of your computer could result in the loss of your network privileges including wireless, and VPN access!
If you received a notice from the STEAM-CIRT that your computer was sending spam email, such as acting as a spam email generator or relay, it usually means that your computer has been compromised and is being used to send spam email by some external entity. In many cases, the computers are compromised by some Trojan or virus, which then allows a spammer to access your computer remotely to send spam email. For more information on how to deal with a compromised computer, please see this article.
It is important to have your computer checked out when this activity is reported to you. Relaying or generating large amounts of spam email can have a serious impact on the performance of your computer. It may also cause Purdue-owned IP addresses to be blocked from external entities mail servers or their networks entirely. It also may be a violation of the CAN-SPAM act which prohibits the sending of unsolicited pornographic or marketing material via electronic email.
As explained here, IRC Bot Zombies are computers which have been compromised and are controlled by attackers through the use of commands issue via an iRC server. This means that an attacker can easily issue a command to one or more "zombie" computers to have them perform activities such as attacking another computer and sending spam email.
If your computer has been reported to you as an IRC bot zombie, it likely means it is connected to an IRC server, and is receiving and performing commands without your knowledge. Because of this, it is very important that you have your computer examined for malware and other signs of compromise before you use it again. For more information on what to do if your system is compromised, see this article.
All users of Purdue University IT resources (e.g., campus network, TLT labs) are bound by the IT Acceptable Use Policy. This policy sets forth the expectations of behavior of all users of Purdue IT resources, as well as outlines several activities that are explicitly prohibited. If you have received a notice from the STEAM-CIRT that you are in violation of the AUP, this means that some action you or computers under your control performed is considered a violation of some university policy, federal/state/local law, is a threat to the information security of Purdue University, or violates other provisions set forth in the AUP.
AUP violations are treated on a case-by-case basis, and may result in loss of network or other IT resource privileges, disciplinary action, or may be referred to the appropriate external authorities if necessary.
ITaP Security and Privacy recommends performing an anti-virus signature update, followed by a full anti-virus scan of the affected system or files. If a virus is found, follow the instructions to remove or quarantine the affected files.
Due to the number of variants of many viruses that are currently in circulation, the version that your system is infected with may not respond to these fixes. If this is the case, please contact itap-securityhelp@purdue.edu for additional assistance, and include details of what actions you took and what problems you encountered.
If you do not have anti-virus software, Purdue students, faculty, and staff may download McAfee Anti-virus free of charge from:
https://www.itap.purdue.edu/security/download/
If the system you are using is owned and maintained by Purdue University, your department IT support should be able to help you resolve this issue
A storm worm is a variant of a Trojan worm. It utilizes a social engineering method to install malware on a victim's system. This method typically involves a message being mass mailed to victims which contains a link to a malicious website. The malicious website installs malware when the website is visited by the victim. For information on what to do if your system is compromised, see this article.
Reference:
Top