When I am delivering the cyber awareness training – and people relax, realising I really mean it when I say there are no stupid questions – I often get asked “how do I know if my computer was infected?”. Usually just before being asked about the length of a piece of string! But at least the malware question I can answer… somewhat…
So how do you know if that odd email infected your computer?
You are probably asking this question because you are now having second thoughts about that Excel, Word or OneNote file you opened. It was from one of your contacts – they do not normally send you an email, but it did include the words “new order” in the subject line and file name, so you could not resist opening it. The spreadsheet opened, and a helpful dialogue box popped up and explained that to see the order details you had to enable the content – so you did just that…
Malware is designed with stealth in mind – so it is not going to wave a flag on the screen informing you that you have this or that virus – of course in the case of you having ransomware on your machine it will wait to wave the flag and not make the ransom demand until after it has stolen your information and then encrypted it! But if you have gone as far as enabling a macro in an unexpected Microsoft file, then you probably have some type of malware working its malicious tasks on your machine – or worse – in your network and cloud storage.
But wait…
You only opened the document, no dialogue box popped up, so you did not say “yes” to anything – so that was a lucky escape!!!
Sorry no. If you have opened the attachment (not just the email) then there is the possibility that the malware executed without any intervention from you, other than opening the attachment and because it exploited Microsoft Office apps functionality, your anti-virus did not prevent the execution either…
What action should I take if something like this happens to me?
Your organisation must have an incident response plan in place, so your training will kick in and you will do what the plan states.
But just in case the stress of the moment is too much – or your organisation does not have an incident response plan and individual tasks that everyone is aware of – I will give you the first thing you should do.
Disconnect your computer from the network, pull out the network cable or turn off the Wi-Fi – you want to contain and limit the potential damage.
Update
I have written two longer articles looking at isolating infected machines:
Minimise the Damage – Planning and Preparation
and
Pull the Plug: But I haven’t got a plug!
Training will help
Obviously training will help – it will stop you opening the email or the attachment in the first place, as something always gets past the anti-virus software.
So have a think about how your team would react to the above situation.
Clive Catton MSc (Cyber Security) – by-line and other articles
References
Mertens, X. (2023). Simple Shellcode Dissection. Infosec handlers diary blog – SANS Internet Storm Center. Retrieved March 21, 2023, from https://isc.sans.edu/diary/Simple%20Shellcode%20Dissection/29642
Further Reading
OneNote – the threat actors new best friend…
Microsoft Office Macros Are Still an Issue
From Encryption Ransomware To Extortion Ransomware Part I
Where do you keep that Incident Response Plan?
Photo by Leeloo Thefirst