Helping people with computers... one answer at a time.
Once infected it's often difficult to know what malware has done to a machine. What you do next depends on your concern and some legitimate paranoia.
I have found that my computer contains 2 trojans. I have heard that hackers use trojans to gain unauthorized access to all your data. Is this true? If so, then is the data in my external hard disk (which I connect to the computer at least once a week and for a span of half an hour) also compromised?
There are so many different types and variations of malware out there that it's hard to give a definite answer. However we can certainly examine what they might be doing, and why. We'll also look at the assumptions you'll probably make, and which of those I'd make in your shoes.
To answer your second question first, without knowing the specific malware that you've been infected with we can't make any assumptions at all about what it might, or might not have access to.
Strike that, we can make only one assumption: malware can access everything on your machine (even devices that are connected only occasionally) and quite possibly any other machines on your local network as well.
So in your specific configuration, if your machine was infected the last time you connected that external hard drive, it's quite possible that it was compromised.
Now, I also need to clarify what we might mean by the word "compromised". There are two primary forms:
Infection: the malware might simply copy itself to your external hard drive. The goal here is the malware's propagation - it's trying to move to other machines. If your external drive becomes infected and you were to then plug it into another machine it's possible that the malware could infect that other machine. Your external hard drive could become a "carrier" for the malware.
Data Access: If your machine has been infected and the malware is active, then it absolutely could be accessing that external hard disk when it's connected and, for all we know, locating "interesting stuff" and sending it off to points and people unknown.
Now, I want to be clear about something: as I understand it most malware does neither. Most malware simply infects your machine and then goes on to do other things. And of the two compromises that I've listed above, Infection is the most likely form of compromise, in my opinion. As we'll see in a moment, most malware is more interested in propagating than it is in your data.
More often than not if you've been infected data on your external drive has not been harvested. But this is malware we're talking about. There are no guarantees.
So just what is malware doing if it's not likely sucking up all your data and sending it off somewhere?
In years past, malware's goal was simply to cause trouble. It was more likely that your data would disappear as the result of an infection, and not much more. You might lose the contents of your hard disk, but none of that data would have been sent anywhere.
In recent years the landscape has changed, and in a word that change is "spam". Some very large percentage of malware these days is all about trying to infect machines in order to create spam-sending zombies operating as part of botnets. They have two goals:
Propagate and infect more machines into joining the botnet.
Wait for further instructions from the botnet operator. Typically that means being prepared to send out huge amounts of spam when instructed.
You can see that looking at your data isn't part of their job.
Why the shift? Money. There's no money in causing trouble for trouble's sake, but there are people willing to pay to get their spam sent. As a result botnet operators can actually make money by managing a network of infected zombie machines to send out spam.
So all that's well and good, but if you're infected what should you do?
It depends on your level of paranoia.
What I would do is this: use anti-malware tools remove the malware from the infected PC, and then also scan the external drive for infections. Assuming everything turns out clean, I'd be satisfied and move on with my life. (Taking note to avoid whatever it was I did to get infected in the first place, of course.)
However, there's an extremely paranoid, and yet very valid position with regard to malware infections: "Once infected, all bets are off." That means that once you've been infected malware has become so stealthy and malicious that there's no way to know with 100% certainty that it's really been eradicated from a system. If you follow this philosophy to its logical conclusion, the only action you can take after an infection is to reformat and reinstall your machine from scratch. And sadly, taken to this extreme, that includes the external hard drive.
To be clear, I would not do this on a personal machine. Your situation might be different; I'd expect government and other sensitive installations to perhaps need to be more paranoid about these types of things. I'm typically quite happy with a good virus scan and cleanup. The only exception was some years ago when the server hosting Ask Leo! became infected - I elected at that point to build out a new server and move the site and my other data to it. The infected server was then reformatted.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.