+- Support Forums (https://www.supportforums.net)
+-- Forum: Categories (https://www.supportforums.net/forumdisplay.php?fid=87)
+--- Forum: Virus Protection, Removals, and HJT Team (https://www.supportforums.net/forumdisplay.php?fid=56)
+---- Forum: Computer Security, Firewalls, and Antivirus (https://www.supportforums.net/forumdisplay.php?fid=10)
+---- Thread: [Guide] - White Hat Helping Basic Overview (/showthread.php?tid=7185)
[Guide] - White Hat Helping Basic Overview - --([-S7N-])-- - 05-19-2010
White Hat Helping Basic Overview
This is a guide to all eager White Hat Helpers here to learn about helping with infections and other matters.
NOTE: I have this posted at Hack Forums as well, but this could be a good resource for everyone to learn White Hat Helping, maybe even help the HJT Squad
What is a White Hat Helper?
A White Hat Helper in this forum are people who specialize in problems related to malware/virus infections, computer software issues, almost all issues related to computers in general, and help others with their knowledge. A White Hat Helper should specialize in at least 2/3 of the following:
- Computer Security
- Infection Prevention
- Protection Software
- Infection Removal
- Online Safety
- Identity Security
First off, you need to know all things related with Black Hat Hacking, who gave hacking the bad meaning. They are hackers who hack systems to steal valuable data, hack websites to steal password databases and so on. There are few true Black Hats in these forums, as most are script kiddies following tutorials, not knowing actually what they are doing.
What we do is, we learn their ways and learn how to counter them. Suppose they infect people with RATs/trojans/keyloggers, we must know how to counter them, how to remove their malware from the system of the infected. Throughout this guide I will be teaching you different malware related things, which are actually coded by Black Hatters.
Learning the ropes: White Hat Basics
Do's and Don'ts
Do's
- Read the post made by the infected/OP very carefully.
- Read all comments made by others and the OP in the thread, to understand how much the user has been helped, the progress of his problem solving. Also, read all posts to see what other helpers have posted.
- Research on unknown problems. Researching on search engines, such as Google, will help you gain a much broader concept on matters, and also help the user more confidently.
- Always know what you are doing, and know what you are doing is right. Don't just guess solutions, as they can be wrong. If you don't know the solution, better leave the thread and let a much experienced handle the situation.
- Read what other helpers have posted, so that you remember the solution to the problem if it occurs with another user again.
- You can consult an educated White Hatter about you confusions, they are always there to help. But do note that they have other business to attend to. If you don't get a reply, just continue researching.
- Ask the OP if you are not clear on the problem. For example, you know a solution to something. The OP posts something similar, but vague. Ask him about the problem, and ask for a detailed explanation. And guess what, after getting the detailed explanation, you realize that you already know the solution!
- IMPORTANT: If the user posts an HJT log in the wrong section, doesn't give you the right to help the user. Report it for wrong section, and it will be moved by a moderator.
- If the OP doesn't have an Anti-Virus program, please, please, PLEASE suggest good, free anti-virus programs to them.
- It is better to stick with malware disinfection for a good amount of time, as this is one of the fastest growing problems in this section.
- I strongly recommend you to write your own canned speeches, or at least read the speeches I provide to understand the instructions yourself.
- I see a few people saying "Format you hard disk" to OP's who make a thread about infections. Don't do that. Formatting should be a last resort. An infection can be easily removed using appropriate tools like Malwarebytes' or SUPERAntiSpyware. Please don't suggest a format of hard disk, because OP's are always desperate for a solution, and will do anything. A format will make them lose personal, or maybe even important, data.
- Don't post if you don't know the solution. Leave the thread as it is. You are welcome to ask questions though.
- Don't suggest a Malwarebytes' scan (or any other malware scan) for problems that actually have no relation with infections. Read Don'ts number two.
- Don't help users that post HJT Logs, unless you are a graduated HJT helper from the HJT Training program. Apply here.
- Since you are learning the basics here, don't help users with advanced problems that you know nothing about.
- Don't use canned speeches unless you know what you are writing.
- Don't instruct the use of strong and advanced tools, like ComboFix or GMER, as they might cause damage to your PC, and you might not know what to do then. Just let the pros do the advanced stuff.
I see at least 2 or 3 people posting about infections everyday. As a member of Hackforums, a lot of members download many hacking tools, which are sometimes binded with malware. So, it is important for people to learn about different types of malware, to help out the users facing malware related problems.
If you see anyone facing 2 or more symptoms that I list below, provide them with appropriate removal instructions.
Remote Administration Trojans (RAT)
What is a Remote Administration Trojan?
A RAT or Remote Administration/Access Trojan/Tool (otherwise known as a Backdoor) is a form of malware used to gain control over someone's computer. This tool is most popular with the Black Hats and they're very common infections.
RATs have features including keyloggers, the ability to steal passwords, open and close CD trays, disconnect external devices such as monitors, delete or edit files, turn on a webcam without the user knowing, edit and delete registry entries, disable security software, and much more. Basically, they're capable of doing anything - the same things you'd do as if you were sitting in a seat behind the computer.
For More Information On RATs
More information can be found on Remote Administration Trojans at these links.
- What Is a RAT?
- Remote Administration Tool
- Compilation for RATs Section
- HackForums RAT guide - Q&A. + Explained
How To Recognize a RAT Infection
To recognize an infection, you'll need to analyze the symptoms the infected member is experiencing. With experience, you'll be able to apply your common sense and knowledge to determine, based on what has been said by the infected, whether or not the user has been infected by a RAT (or any other infection for that matter).
Symptoms of RAT Infections
- Unexplainable deletion of files.
- Unexplainable editing of files.
- CD Tray opening and closing, though not provoked.
- Webcam randomly turning on.
- Keylogging.
- Cursor moving freely.
- Blocked access to particular sites (usually security-based websites).
- Random messages appearing.
- Unknown files/documents being created.
- Slow Internet speeds.
- Unresponsive components (monitors being disabled).
- Passwords being changed.
- HOSTS File being changed.
Keyloggers
What is a Keylogger?
A Keylogger is an application used to record the keystrokes of the victimized computer. If you're infected with a Keylogger, everything you type will be logged and sent to the hacker's FTP (File Transfer Protocol) location or to their E-mail address.
These days, Keyloggers are becoming more and more advanced with many features that can cause harm to your personal security. Keyloggers are becoming part of larger infections such as RATs and are used in most spyware. The goal of the Keylogger is to provide a log of what the infected has typed on his or her keyboard so the hacker can sift through to find usernames and passwords. They're the most basic form of spyware, but they're incredible powerful and can often go unnoticed.
For More Information On Keyloggers
More information can be found on Keyloggers at the below links.
- Keystroke logging
- What is a Keylogger?
- Keylogger Information
- Absolute Key Logger Information and Removal
Keyloggers can be very stealthy and in many instances, one will only notice that they've been keylogged once all their passwords have been changed.
Usually, the infected will complain about their passwords being changed or their private data exposed. In most cases, the infected will be able to tell you that they've been keylogged - it's not difficult to diagnose at all. I'll share some common Keylogger programs with you to familiarise you with some names.
I'll also share the common symptoms experienced when infected by a Keylogger.
Symptoms of Keylogger Infections
- Stolen or changed passwords.
- Leekage of confidential information.
Trojans
What Is A Trojan?
A Trojan or Trojan Horse can be summarized as an unauthorized program contained within a legitimate program. This unauthorized program performs functions unknown (and probably unwanted) by the user (Reference: WindowsSecurity).
By saying this, a Trojan is usually a legitimate program that has malicious code unknowingly injected into it. The infected file will usually perform the desired task, yet will also secretly perform malicious tasks on the infected's system.
Trojans can be divided into two types: one part will require a server and a client (Trojan Horse), and the other type of Trojan is a more direct infection and will carry out its purpose automatically. The two-part Trojan (client and server), requires directions from the attacker (hacker) to operate. The most common example of this is the Remote Administration Trojan (RAT) which we've just covered.
In this type of Trojan (two-part), the infected will have to run the 'Server' application to initialize the attack. This file is usually called 'Server.exe', though there are many variations of this. Once this application has been run, it'll connect through a port configuration and the Internet to the 'Client' (the hacker).
Trojans are usually extremely well disguised, which is why these programs have caused so much damage. They can be bound to other files, encrypted, renamed, and more. This is why determining whether or not an application is, indeed, clean or infected can be very difficult.
Trojans are usually set to automatically run on startup through various methods including creating entries in the Windows Registry, and using Windows System Files.
How To Recognize a Trojan Infection
Trojans, as mentioned above, are usually disguised in other applications. This, in tern, will make the file infected. Basically, it's a fake program claiming to be legitimate, when in fact, it's infected. This is one trait of a Trojan, but it ties into the fact that Trojans are designed to cause destruction.
Common Trojans/Trojan Horses
- Remote Administration Trojan
- Password Sending Trojans
- Keyloggers
- Destructive
- Denial of Service (DOS) Attack Trojans
- Proxy/Wingate Trojans
- FTP Trojans
- Software Detection Killers
Symptoms of Trojan Infection
- Changed or deleted passwords.
- Confidential information stolen or exposed.
- Files deleted or edited.
- Registry values edited or delete.
- Internet disabled.
- Antivirus/Anti-Malware disabled.
- Firewall disabled.
- Common RAT Infection Symptoms - Please read the above section on RATs.
Common Malware Removal Software
Anti-Malware
It's suggested that you have one to two anti-malware applications installed on your system. Anti-malware scanners aren't usually active scanners - meaning that they aren't always monitoring your system; they need to be run manually, they won't interrupt any other active protection agents that are currently running, such as an antivirus.
Anti-Malware Applications
- Malwarebytes' Anti-Malware
- ESET Online Scanner
Anti-spware, alike anti-malware, will not interfere with antivirus or anti-malware applications. They're one-off scanning utilities, and usually don't come with active protection. Anti-spyware applications are designed to target spyware infections such as trojans, keyloggers, and worms.
Anti-Spyware Applications
- SUPERAntiSpyware
- Spybot - Search & Destroy
- Spyware Doctor
This is the end of my guide, but not the end of your learning. Continue researching on different types of malware, different problems on computers etc.
Read this compilation for more guides: http://www.supportforums.net/showthread.php?tid=7025
RE: [Guide] - White Hat Helping Basic Overview - Eve - 05-19-2010
Amazing guide, thanks for sharing this here.
RE: [Guide] - White Hat Helping Basic Overview - I like it up the nose - 05-24-2010
I didn't know what a White Hat was until now, THANKS.
RE: [Guide] - White Hat Helping Basic Overview - Silver - 05-24-2010
Excellent guide! I know a lot of the things stated in the guide, but also learned a great amount.
Also, I noticed in the a link under the "Don'ts" has a link to the "HackForums HJT Training Information & Signups" and not Support Forums' HJT Signups. Is it supposed to be like that or not?
Again, outstanding guide. Learned a lot.
RE: [Guide] - White Hat Helping Basic Overview - Harvey - 05-27-2010
(05-24-2010, 02:39 PM)Silver Wrote: Excellent guide! I know a lot of the things stated in the guide, but also learned a great amount.
Also, I noticed in the a link under the "Don'ts" has a link to the "HackForums HJT Training Information & Signups" and not Support Forums' HJT Signups. Is it supposed to be like that or not?
Again, outstanding guide. Learned a lot.
Good find. S7N, you might like to fix that.
RE: [Guide] - White Hat Helping Basic Overview - --([-S7N-])-- - 05-28-2010
Fixed. Thanks for the pointer.
RE: [Guide] - White Hat Helping Basic Overview - Eraj - 06-29-2010
Cool guide thx for sharing it