How to deal with malware on Windows: “nuke and pave” often is the only way


A recent Discord.io breach has revealed that the gaming community is an increasingly attractive target, as they often use highly performant machines and have resources to steal. Most malware targets Windows, is often delivered via Discord, and may require reformatting the disk and reinstalling the operating system, DomainTools researchers write.

With the Discord.io breach, bad actors could mine the hacked list of accounts and communities to determine possible targets for infection.

“With one click, the targeted gamer’s computer is totally compromised, typically with an info stealer, but a remote access trojan, crypto miner, or other malware may also be dropped,” researchers warn.

ADVERTISEMENT

If that happens, users should not waste their time trying to clean harmful software with good software.

“Sometimes, the only way forward is to reformat the machine from scratch – to nuke and pave,” says Sean McNee, VP of Research and Data at DomainTools.

Why wiping the drive is the best approach

Nuke and pave means completely erasing the hard drive of an infected device, thus removing all the data and software, and then reinstalling a clean version of Windows. And that is not always that simple, as cyber crooks are finding new ways to hide their dirty code.

Malware will often burrow deeply into a system, hide from being monitored, and may include defensive anti-tampering measures.

“Try as you might to clean an infected system using antivirus software, you can never be totally sure that you’ve actually gotten everything. In fact, you might routinely run multiple antivirus products – each triumphantly reporting “nothing malicious found” – only to end up with a system that’s still exhibiting undeniable symptoms that something’s seriously wrong,” researchers warn.

Even reformatting the drive and reinstalling has become more complicated these days. Users have to keep this in mind:

“We Know You’re Going to Try Disinfecting Your System (Even Though We Both Know It Won’t Work),” DomainTools researchers write.

ADVERTISEMENT

In that case, they advise understanding the subtle differences between different types of harmful software. It could be a bot, a true computer virus, a worm, a back door, a trojan horse, a rootkit, a potentially unwanted program, adware, crimeware, ransomware, spyware, etc. That determines what type of cleaning tool will be required.

“You must “pick the right tool for the job” and “ensure that all the right options have been set.” Many antivirus vendors do not provide a comprehensive approach to find and clean all types of malware using just a single tool,” researchers warn.

Also, users should scan all volumes on their systems. Even then, there are no guarantees, no matter what the tool. For example, even if an antivirus product proclaims the computer to be clean, good practice is to check with other tools, such as MalwareByte’s ADWCleaner, for malware-related artifacts left in the system.

“On a sample PC infected with the Discord malware, ADW found and flagged but did not remove three Registry entries,” researchers noticed.

Malware authors are well known for manipulating registry entries. Problematic or obfuscated settings in the Registry may be buried deep and be hard to fix. For instance, search-hijacking malware might change the browser’s default search engine to one that pays the hijacker for rerouted traffic.

Other malware may hide in browser extensions, which may or may not be scanned by antivirus software, and which may autolaunch and run in the background at startup via entries primarily visible via msconfig. Malware creators are continually looking for new ways to achieve “persistence” on infected systems.

Why gamers, and why Discord?

Attackers have made their cost-benefit analysis and gamers are high on their list.

Firstly, gaming computers are generally more powerful than non-gaming computers and tend to have top-notch network connectivity. If an attack takes the same amount of effort, cybercriminals will target faster systems to install their crypto miners, control centers, or other monetization options.

Gaming computers are often left unprotected, as antivirus software and other measures may “slow down the system.”

ADVERTISEMENT

And Discord is a gamer-focused messaging service, free and popular, with more than 150 million active users. Communications are encrypted, so the traffic is hidden from network monitoring and attack detection tools. Discord users have assets that can be monetized by attackers.

“Sophos has characterized Discord as being a rough neighborhood and “[…] a dumping ground for malware. And even for malware not hosted on Discord, the Discord API is fertile ground for malicious command and control network capability that conceals itself in Discord’s TLS-protected network traffic.”

A popular style of attack is the “new game,” when a teammate or someone else asks to try new software, which, surprise, actually turns out to be malware. Compromised accounts are used.