Blue Teaming
KimCrawley,
Sep 17
2021
Many years before I started working for Hack The Box, I put in my time as a remote support technician. In the 2000s, I’d remove malware from about twenty or thirty Windows PCs per eight hour shift. I got really, really good at it. It became a routine that I’d largely conduct subconsciously. My LogMeIn Rescue client could have five to ten remote sessions at once, each given its own dedicated tab.
There are some caveats. Windows is still a major malware target, but now there’s much more malware for Android, Linux distros, and even occasionally Macs and iPhones. A practical understanding of malware accepts that all computers which can acquire data from networks or removable media can be infected, there is no such thing as a malware-proof operating system. In my entry level IT days, I supported Windows XP, Windows Vista, and eventually Windows 7 as well. No one outside of Microsoft knew anything about Windows 8, and Windows 10 wasn’t even a concept at that point. And in my anecdotal experience, Windows 10 with default settings is a lot more secure than Windows 7 and Windows XP with default settings. This is mainly due to Microsoft’s improvements to Windows Defender and making it work as the default antivirus application automatically, and also improvements to Windows Firewall.
As I write this on my MacBook Pro running macOS 11.5.2 Big Sur, I also acknowledge that Apple’s “Macs don’t get PC viruses” marketing campaigns from years ago has misled consumers into a false sense of security, thinking Macs can’t get malware. Ha! I purchased Avira for my Mac, and I’ve configured it to automatically download signature updates and run antivirus scans.
Any operating system can get malware. Period. Even my Android phone has Lookout as its antivirus. (Does having a Mac and an Android phone make me a weirdo?) Install antivirus on your iPhone too!
Now that being said, let’s get into malware removal. Because malware sucks, and the internet is loaded with it.
The best way to remove malware is to prevent getting it in the first place. Here’s my security hardening advice:
Make sure that, regardless of which operating system your PC or phone uses, that you have some sort of antivirus software running. Windows 10 runs Windows Defender if you don’t install an alternative. macOS, Linux distros, Android and iOS mobile devices (iPhone, Apple Watch, iPad) do not come with antivirus software out of the box. I have worked for antivirus companies over the years; Comodo, Sophos, BlackBerry Cylance, and Kaspersky. Those days are gone and now I’m professionally platform-agnostic when it comes to AV. If you aren’t sure which antivirus brand you should choose for your device, I highly recommend looking at what AV-TEST.org says. Their antivirus ratings per operating system change month per month, because ultimately antivirus software is only as good as its most recent update. Do note that for home users, AV-TEST only evaluates antivirus for Android, macOS, and Windows.
Make sure your antivirus software is configured to install updates whenever they’re available, and perform automatic scans of your main disk partitions once per week. Think of updates as vaccines for new strains of malware. No antivirus solution is perfect, nor will it make your device completely immune to malware. AV is a safety guard, like getting vaccinated or wearing a seatbelt in your car. The best antivirus client is one that has all of its most recent updates.
As far as consumer endpoint PC and phone use is concerned, I will mention some of the most frequent vectors of malware infection. They are P2P media downloads and BitTorrent search engines, malware-infected webpages, email attachments, and mobile apps downloaded from outside of the App Store or the Google Play Store. With that in mind, be super careful with P2P file downloading and using torrent search engines. Actually, it’s best to be avoided! Be very careful to not click on webpage links in emails or open email attachments from email addresses you aren’t familiar with. And only install mobile apps from the App Store or Google Play Store if you can. Malware has been found in the App Store and the Play Store, but Apple and Google work very hard to detect and eliminate it. Therefore, their Stores are the safest source of mobile apps by far.
Malware does a lot more damage when it's in an account with administrative (root) privileges. Linux based and UNIX based systems (that includes macOS) will typically use root only when it's absolutely needed. As far as Windows is concerned, do your everyday work and play in an account with limited privileges. Only log into your administrative account when you need to install software, change your Control Panel settings, or modify other user accounts. Whichever account you’re using in Windows, be very careful when you allow UAC (user account control) to perform actions. On Android phones, look carefully each and every time an app asks for permissions. Don’t hesitate to deny an app permissions it asks for. For instance, why should your mobile puzzle game need access to your camera or your phone contacts?
The next step to removing malware is to determine if you have malware to remove in the first place. Here are three of the most common indications of malware on a consumer device:
Your PC and phone runs much more slowly than usual, for an extended period of time.
Your antivirus software tells you that there’s malware. Make sure that you’re familiar with your antivirus software’s user interface, so you don’t get fooled by number three.
A pop-up window or webpage says, “you have a virus!” Now, this is not what some users may assume. The pop-up window or webpage isn’t coming from a helpful entity that wants you to get rid of the malware. The pop-up window or webpage is coming from the malware that infected your device. It’s usually a scam of some sort. “You have a virus! Click here to remove it!” Oops, the link triggered a malware download. Or, “You have a virus! Send us Bitcoin here so we can remove it!” No! That’s the cybercriminal talking. Do not send them your Bitcoin.
If you suspect malware because your device is running really slowly or your legitimate antivirus software is telling you that you have malware, the first thing you should do is get your antivirus software to run a manual scan, pronto. If you get the pop-up window or webpage “you have a virus!” Trojan, do not touch it! Get as far away from it as possible without touching it, and run a manual scan with your authentic, legitimate antivirus software.
Quite often, antivirus software needs to put malicious files in quarantine. So after your manual antivirus scan is finished, reboot your device right away.
If your antivirus software with its latest updates was unable to remove the malware then you need to put your operating system in its equivalent to “safe mode” and run other applications.
Here are some guides to malware removal when your AV software can’t get rid of it.
Remove Viruses, Trojans and Malware from Windows (Free Guide)
by Stelian Pilici for MalwareTips
Remove Viruses, Adware and Malware from Mac (Free Guide)
by Stelian Pilici for MalwareTips
Remove Viruses, Adware and Malware from Android phone (Free Guide)
by Stelian Pilici for MalwareTips
How to Remove a Virus From an iPhone and iPad
by Ivan Belcic for Avast Academy
Security Tools to Check for Viruses and Malware on Linux
by Jack Wallen for Linux.com
HTB Academy has fun and fully interactive modules that can give you a better understanding of how malware works and how to prevent it. Check out Windows Privilege Escalation, Linux Privilege Escalation, and File Transfers.