The Digital First Aid Kit
The Digital First Aid Kit aims to provide preliminary support for people facing the most common types of digital threats. The Kit offers a set of self-diagnostic tools for citizen, human rights defenders, bloggers, activists and journalists facing attacks themselves, as well as providing guidelines for digital first responders to assist a person under threat.
‘Malware’ is malicious software that facilitates an unauthorized takeover of your device by another user, government or third party to perform surveillance functions such as recording keystrokes, stealing passwords, taking screenshots, recording audio, video and more. While most malware is designed for and utilized by criminals, state-sponsored actors have increasingly adopted malware as a tool for surveillance, espionage and sabotage. Malware is used to gain control of devices. It exploits access to the device to send out spam, seize banking, email or social media credentials, shut down websites and collect vital information from journalists, human rights defenders, NGOs, activists and bloggers. If you suspect a malware infection on your device here are some things you can do:
Start by answering some simple questions:
- Are you sure this is not account hijacking or a compromised password, see Account Hijacking?
- What are your indicators of compromise?
What is an ‘indicator of compromise’ anyway?
There are many reasons why you may think your device has been infected with malware; these are called ‘indicators of compromise.’ They may include the following:
- You opened an attachment or link that you think may have been malicious
- Your webcam LED turns on when you are not using the webcam
- Your accounts have been compromised multiple times, even after you have changed the password
You may also have reason to suspect your device is infected with malware if:
- Your device was seized and then returned
- Someone broke into your home and may have tampered with your device
- Some of your personal data has been made public and it could only come from your personal computer
- Your group is being targeted by a government, law enforcement, or an actor with equivalent capabilities
First steps to mitigate the problem:
After confirming that it is not an account hijacking and there are clear indicators of compromise there are two avenues of approach: getting your devices clean or understanding the attack and then cleaning your devices. Your first priority may be to get your computer ‘clean’ and usable again. Finding out what has happened to you and who has targeted you may be less important to you. However, it can be very valuable to gain understanding of your adversary, their technical capabilities and whether or not the potential attacker (a government entity or other third party) is known to use internet surveillance technology. If understanding the attacker and the attack is relevant to you, it is essential that collecting and analyzing information on a potential malware infection happens before you engage in ‘cleaning’ your computer. For information collection and analyzing of malware continue to the section recommended steps for first level analyst otherwise, proceed to the section below.
‘Cleaning’ your device
When you have chosen to clean your device without understanding the malware and attack first please keep the following in mind:
- There is no quick fix to clean up malware from you computer. Even after completing the following steps a very sophisticated malware infection may still be present. These steps are sufficient to remove most of the malware you are likely to encounter unless you are being targeted by a very advanced attacker.
- If you believe that you are being targeted by a state actor and indicators of compromise persist after cleaning up the virus detected through the steps below, disconnect it from the internet, turn off the device, unplug it, if possible remove its battery and seek the help of a security professional.
Anti-virus software can be an effective first response to protecting a device from a significant percentage of malware. However, anti-virus software is generally considered ineffective against targeted attacks, especially by state-sponsored actors. Nevertheless, it remains a valuable defensive tool against non-targeted, but still dangerous, malware. Below is a non-exhaustive list of options:
- Microsoft Safety Scanner (Windows)
- ClamXav (Mac OS X)
- ClamAV (Windows and Linux)
When you run anti-virus software, ensure that it is up to date. If a virus is detected the following steps are recommended.
- Step 1: Ensure that your anti-virus software is up to date
- Step 2: Take a screenshot of the message
- Step 3: Continue with the recommended steps to remove the virus
- Step 4: Following the guidelines in the Safer Communications section, send the screenshot to a person with security expertise
Don’t stop here! Important next steps:
If you suspect a state sponsored attack or want to know more about the attack and attackers, it is important to gather as much forensic information as you can; please proceed to the section on recommended steps for a first-level analyst. In certain computers you can swap the hard disk, keeping the infected hard disk safe for forensic analysis and enabling computing with a new disk.
- Back up your files and reinstall your operating system; it is not possible to be sure the virus has been completely removed. After installing one malware, the attacker usually installs others; therefore, it is always recommended to reinstall the operating system after performing a thorough wipe of the hard drive. If possible, investigate whether replacing your hard drive is an option.
- After reinstallation of the operating system you will want to have access to your files again. Be aware that malware could have infected your documents. After reinstalling your operating system, you should take the following steps:
- If possible, retrieve your documents from the back up you made prior to the malware infection.
- If you do not know when your device became compromised with malware, or if you suspect specific attachment and documents to be infected with the malware, there are several things you can do:
- Download all of your executable files again from a trusted source
- If the attack vector has been identified by an technical expert and the malware is clearly infecting other documents, one option could be to upload and open them in Google Docs and re-download them from there. In most cases opening a suspicious document in Google Docs is probably a good recommendation. The document will not infect your computer and it will remain editable.
- Another option is to copy the documents onto a USB key and open them on CIRCLean. The malware will not be copied, but the documents will be transformed to an image or pdf, a read only and non-editable format.
Recommended first steps for a first-level analyst
The following recommendations should only be implemented by a person with some security expertise. If you do not have the necessary expertise to follow the instructions below, ask a specialist for help. If possible, communicate with them via secure channels using the guidelines in the Safer Communications section.
The first steps to take:
- If one of the indicators of compromise is an email, gather the headers, and analyze them. Google also provides a simple tool that does this automatically
- If possible, securely obtain the malware itself and look it up on Virus Total with the hashes to see if the file has already been uploaded.
- If the file is not confidential, you can also upload it on Malwr and analyze the result.
- If the suspicious file comes from a link, get the full URL and run it in:
What is next?
Step 1: Information collection for further analysis The following information is critical for any further analysis, by you or by anyone else. It is recommended to collect most - and if possible all - of the information below for further analysis:
- Information on the system (hardware, OS details, including version and update status)
- Location of the victim and system localization (source IP, country, language of the user)
- List of users sharing the same device
- In case of suspicious email: full headers
- In case of a link: the full link, timestamp and screenshot
- It would also be useful to have a dump of the webpage, and a packet capture of the connection to it
- A tutorial or link might be useful here as well
- Memory dumps
- Disk images
- Consider that it might be easier to recommend replacing a hard-drive rather than teaching people to do a disk image in order to transfer the disk to helpful people.
- Evaluate possibility of remote forensics and if so, establish proper channel of communication
Step 2: Malware analysis If you do not have the skills to process this information, pass it on to a trusted, trained malware expert or one of the following organizations:
Take extra precaution against attackers
Malware is potentially the most dangerous attack against an activist, as it provides easy access to account information as well as extensive personal and project related documentation. There is no single or simple method to protect yourself from malware, but you can make yourself a more difficult adversary.
Keep in mind, however, that specialized and targeted malware will not be detected by even the best anti-virus software. Steps 1 and 2 make you safer against older malware, but only by changing your behavior will you improve your resilience.
- Step 1: Regularly check for updates to all of your software, especially your operating system and your browser
- Step 2: Install and configure an anti-virus program (see above) and make sure it updates automatically. Some anti-virus programs will stop after their trial period expires without warning.
- Step 3: Change your own behaviors. Email and chat attachments are common ‘attack vectors’ where a compromised computer of a friend will automatically try to send malicious attachments to the owner’s entire address book. Ask people to send documents in plain text where possible and never open unexpected attachments without carefully verifying that the sender intended to send it! Tibet Action’s ‘Detach from Attachments’ provides further suggestions. Using a third party service like Google Docs to open office documents and spreadsheets can also let you see and edit the content with a much lower risk of a malware infestation.
- Step 4: Further protection can be provided by adding plugins to your browser such as HTTPS Everywhere or NoScript (for firefox).
If your devices have been compromised by a targeted attack, it can be valuable to understand why you’ve been attacked and by whom.
Why you’ve been attacked: Who do you think might be interested in targeting you or your organization? Is this threat related to your work? In the section on helpful resources there are links to guides that give you tips and tricks on how to prevent digital emergencies and be proactive about your digital security.
By whom: What are your adversary’s technical capabilities? Is the potential attacker (a government entity or other third party) known to use internet surveillance technology. In the section on Reports on State-sponsored Malware attacks there is more information on the different ways in which governments have used malware for targeted attacks.
Documentation: It will be difficult to remember specifics such as the time and date when you clicked on a suspicious link. Therefore, we recommend keeping a notebook next to your computer to make notes of the time, date and strange things that have happened and are happening to your device. In some cases experts have been able to identify a specific type of malware by correlating the time of the attack with unique characteristics or a possible indicator of compromise.
Reports on State-sponsored Malware attacks:
- Detach from Attachments
- Google’s Chrome browser and the open source version, Chromium, provide excellent information about suspicious websites
- More on Viruses and Spyware
About The Digital First Aid Kit
The Digital First Aid Kit is a collaborative effort of EFF, Global Voices, Hivos & the Digital Defenders Partnership, Front Line Defenders, Internews, Freedom House, Access, Qurium, CIRCL, IWPR, Open Technology Fund and individual security experts who are working in the field of digital security and rapid response. It is a work in progress and if there are things that need to be added, comments or questions regarding any of the sections please go to Github.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.