Malware

Five tips for dealing with rootkits

Rootkits are diverse, elusive, and difficult to get rid of. These basic pointers will help you combat this escalating threat.

A rootkit is a piece of software that enables the continued, privileged access to a computer, all the while hiding its presence from users and administrators. Although rootkits themselves might not be dangerous, the software or processes they hide almost always are. Unlike a virus, a rootkit gains administrative privileges to your machine. Rootkits are the Mac-daddy of viruses, causing the most damage and headache. The biggest issue with rootkits is that once on a system, they are a challenge to detect and remove, because their main purpose is obfuscation.

But you don't have to be at the mercy of rootkits. You can be prepared to deal with these nasty pieces of software should they show up. And even better, you can keep them from happening in the first place.

1: Protect those machines

You're not going to stop everything all the time. But that doesn't mean you should forgo protection. One of the first things I do on a new Linux system is install rkhunter. This tool is an outstanding defense against rootkits. If you're not using the Linux operating system then you need to use trusted tools like AVG Anti Rootkit or ComboFix [edit: link corrected] to take on the task.

2: Be on the lookout for signs

Although rootkits don't actively give you signs you are compromised, there are ways to tell. If you've received reports from various sources that you are sending out massive amounts of spam, you most likely have a botnet, which is probably being hidden by a rootkit. If your server is a Web server, and you are seeing strange redirect behavior, you might be a "winner." For UNIX and UNIX-like systems, look for altered versions of executables or directory structures. If you issue the ls /usr/bin or ls /usr/sbin command and see that your normal applications seem to be named incorrectly, there is a high possibility you have been hit by a root kit. Of course, the easiest method of detection is to regularly run rkhunter (or a similar tool, as described above).

3: Turn it off

If you have been infected, the first thing you should do is shut that machine off! Then, remove the drive, mount it on another system (preferably a non-Windows system), and get your data off the drive. There is a chance that the OS will have to be re-installed, so you want to make sure you have your data off. But having that infected system up and running is only doing more damage, especially if there is a spam bot or the like running.

4: Never go without Tripwire

Tripwire is designed to monitor changes in files/directories on a given configured system. One of a rootkit's primary purposes is to conceal malicious software. Oftentimes, they will do this by renaming files or folders or installing similarly named files/folders. You can detect such behavior at any time using a tool like Tripwire. It is critical that you install Tripwire immediately upon installing the OS. Otherwise, rootkits could already be installed and Tripwire will be less than effective.

5: Consider memory dumping

This is a far more challenging method, and it's most often left to specialists who have access to non-public tools or code. You can force a kernel (or even a complete) memory dump of the infected -- or possibly infected -- system that will capture any possible rootkit in action. That memory dump can then be analyzed with a debugging tool. During the analysis, the rootkit can't obfuscate its actions and will be detected. Of course, at this point, you are most likely going to have to just pull off your data and reinstall.

Prevention

Rootkits are the "big nasty" of infections. The best possible strategy is to install software to prevent their installation in the first place. The biggest issue with rootkits is that they can be heinous enough to require you to remove your data and reinstall anyway. Be proactive on this front and install every necessary precaution you can.

Additional resources

Been there?

Have you had to grapple with rootkits on your own or your clients' systems? What did you do to prevent/remove them?

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

90 comments
shurtadoa
shurtadoa

Not Found The requested URL /downloadcom/s/software/10/66/26/85/avgarkt-setup-1.1.0.42.exe was not found on this server.

aandruli
aandruli

Tripwire is fine for enterprise protection, but not for an individual user. At home I use Bill P's WinPatrol which does the same sort of thing but for an individual desktop.

phototropic
phototropic

"...you need to use trusted tools like AVG Anti Rootkit or ComboFix [edit: link corrected]..." AVG Anti Rootkit was last updated in Oct. 2007 and is no longer produced or supported by AVG. Anyone who would recommend using it clearly does not know the first thing about cleaning malware in the field. "...ComboFix [edit: link corrected]..." There is only one official link for downloading Combofix. But there are several rogue sites. If you do a quick Google for "Combofix", those sites are first in the list. If you actually RUN Combofix in an attempt to remove malware, the first window you see tells you as much and warns against spurious download sites. Jack Wallen, you article here: http://www.techrepublic.com/blog/doityourself-it-guy/diy-free-tools-for-removing-malicious-software/115?tag=mantle_skin;content was so wrong it was dangerous (and encouraging license-breaching!!!) And now this mis-informed stuff about rootkits. Why do you keep trying to write authoritatively about subjects which you clearly only have an amateur grasp of? And why does Tech Republic keep publishing this stuff?

gracedman
gracedman

Might I suggest a look at OSSEC. It has rootkit detection and file integrity checking as well as a host of other features. It has a Windows client and is completely open source - John

jazzitt3
jazzitt3

Actually the first thing you should do if you suspect the machine you are on is infected or starts to act up (especially when on the net) is unplug the LAN cable. Rootkit infection is immediate notice of irregular activity and if a nasty one can also affect USB as well as CD Rom. Also most that are bad cloak the main account and you can't recover its files while up as a slave drive. I have my bad guy fighter file.exe's tools on USB flash drives, a CD-Rom and a camera sdhc card.

craig
craig

Anybody whose had to battle a root-kit on a Windows based PC could not possibly have found this article of any use. It did get me on the page; good for TR.

glen.vee
glen.vee

Apparently the author does little work on Windows systems, as this article is focused mainly on Posix/Unix/Linux type operating systems. Tripwire is not available for Windows. AVG Anti-Rootkit was discontinued as a separate application and is now only included as part of their premium anti-virus. It no longer gets updates and so is useless against newer root kits. ComboFix is a good tool but should be used by, or under the guidance of, and experienced handler who can write the scriupts needed to drop onto ComboFix in order to remove many root kits. Just running ComboFix as is will not remove many root kits.

aandruli
aandruli

I had a rootkit that was detected by another utility but it was unable to remove it because the rootkit protected itself by launching a BSOD anytime anything tried to remove it. MBAM created a "runonce" in the registry to bypass the BSOD trick and removed it, survived the BSOD, and its all gone. I now scan with MBAM on a regular basis.

gsoucy
gsoucy

Hitman Pro 3.5 is amazing and better than ComboFix and detecting/repairing rootkits.

AnsuGisalas
AnsuGisalas

I can't seem to get a hold of the AVG antirootkit, it sort of looks like they merged it with their non-free AV. Combofix certainly does what it can to make me uneasy about running it. Is it as scary as it claims?

Jaqui
Jaqui

and it's installed on most *x systems be feault. fam File Alteration Monitor. you can use it to track your system.

Slayer_
Slayer_

Disconnect the network cable, and leave it alone, turning it off will give it access to files previously locked by Windows. Restarting it afterwards is the kiss of death.

JCitizen
JCitizen

I'm not familiar with where it went wrong on the license Issue, but you make good points here. Thanks for posting!

JCitizen
JCitizen

I've never underestimated the capability of today's malware. I always write protect any USB or floppy device I'm using to nuke a drive from space. I've never trusted CD-RWs either as there is no way to write protect them. I would even suspect that malware could flash CD-ROM controllers to foil any LiveCD sessions. It does seem like more and more ROM optical drives use firmware now.

DNSB
DNSB

Most of the time, I find more use in the comments from the people in the trenches than in the original article. OTOH, keeps me reading the articles so TR should be happy.

lg
lg

Also Combofix does not run on a 64-bit Windows

MrRich
MrRich

Need something like this in the arsenal. Thanks for the pointer!

JCitizen
JCitizen

I would prefer a Linux .iso....

xcav8r369
xcav8r369

GMER, Catchme, MBR and RootRepeal.

smarkie
smarkie

Combofix does a good job of removing it. Had a horrendous one and it took like 20 minutes to do a scan and bam good as new. Issue I ran across(at the time) is that it didn't run on a 64 bit OS.

DNSB
DNSB

I've used ComboFix five times and it has worked four of those times. However, there is the possibility that it can trash your entire system so I reserve it for the cases where I've already backed up data and there are applications installed that are no longer available for re-install. At that point, you've got nothing to lose. The fifth time, ComboFix indicated that a problem was fixed but still issues after the computer was rebooted. For that one, I backed up the two program directories and registry hives before the wipe.

bboyd
bboyd

Noticed on HNN's tool time podcast section. AVG's been moving in a direction that makes me not recommend it as often. Now I only suggest it when I know the person is nearly computer illiterate and I won't be touching the system. Try Sophos if your not willing to do a data strip and full format & install

Neon Samurai
Neon Samurai

I'll have to do some reading about that. Especially if it differs from Tripewire or can be run along side.

bitdoctor
bitdoctor

Etienne, it's nice that maybe in 250 cleanings, you believe you have not run into rootkits but, to my knowledge, MBAM does NOT clean rootkits - it can clean some virus, spyware and other malware - rootkits are very specialized software and, even IF it happens to 'clean' - then the cleaning is still suspect. I will repeat again, for everyone's edification: IF there is ANY suspicion of a rootkit on your system, the ONLY viable action is KILL the drive, then REBUILD the drive. You can play with 'cleaning' techniques but, even if the rootkit is recognized and 'claimed' to be cleaned, there's no way to know for sure except rebuild the drive. And BIOS rootkits and viruses are even more problematic (yet, thankfully much more rare).

bitdoctor
bitdoctor

Also, turning it off, and slaving the drive on another system is really the ONLY way to defeat some of the more sinister rootkits. DO NOT try to clean an actively-running, rootkit-infected system! Some rootkits are slick enough that they will detect the 'cleaning effort' and then 'hide themselves' (or start actual destruction or 'self-destruction,' when they detect your cleaning effort) - thus, 'passive cleaning,' by slaving the drive on a second computer is always the recommended best practice. And really, if any rootkit is found, a re-format and re-install is strongly recommended.

Neon Samurai
Neon Samurai

Kill the power as quick as possible so any running malware processes don't get the shutdown warning. After that, pull the network cable out and reboot with a non-Windows environment. After that, I start going through my stack of latest liveCDs such as Avira's tool.

AnsuGisalas
AnsuGisalas

After that, you cut out it's brain and take it to be copied and cleaned. Err... I mean hard drive. Cleaned as in either disinfect or wipe. As I understood it, it's not supposed to be rebooted in an infected state. Besides, the system may have already rebooted after infection, since it's not likely to be detected right away.

Jaqui
Jaqui

the turn it off is followed by access from a non windows, secured system. data copied off the infected drive then a wipe and re-install the turn it off is step one in a cleaning up. :p

pgit
pgit

And they wouldn't be here if not for the original article. I agree there could be more "meat" in a lot of the articles put up at TR, but then I suppose they are 'good enough' in that these discussion ensue. I have gotten a ton of help and great tools from the members here.

Neon Samurai
Neon Samurai

http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.iso Did they change it recently to detect previously installed software? The last time I had reason to use it was about two months ago but I've a family member's borked machine coming to me Wednesday for surgery. I guess I'll find out then. Generally, I use this to scan the system and see what it detects but I don't enable "try to clean" during that scan. With a list of affected files, I'll then go in with something like Backtrack or a similar non-Windows bootable disk. Similarly, any other liveCD based scanners I can find get run for confirmation or what Avira may have missed.

Jaqui
Jaqui

in that it only watched for when files are altered. it usually is running under msec/polkit or other system security policy. it can also be used to see when a particular user last logged in or was active. check for the last file they altered by the timestamp. and even touching a file alters the timestamp. it can lead to many false positives if not set right, but it can give a good heads up that there is a problem if files that shouldn't be altered during a given time period are.

etienne
etienne

since this article is about rootkits specifically, you are right my comment was really addressed to neon, in the context of the more "general malware cleanup" the conundrum really is that the more powerful rootkits will NOT reveal themselves to anything, so there is no direct way of positively identifying the presence of a low-level rootkit (other than memory dumps etc, and perhaps repeated and perpetual infections being a symptom of an underlying rootkit) so, it's a bit of a catch 22 then personally, when there is any sort of "persistence pattern", i kill and rebuild, which is the only way that one can, with a very high degree of certainty, assert the absence of rootkits

bitdoctor
bitdoctor

Agreed - "hard shut-off" is the best method, and, as you mentioned, booting an alternate O/S, because rootkits (except BIOS-based) are typically o/s-specific - so booting Linux would make your current booted environment effectively impervious to a Windows-specific rootkit. Another good tip is that, if you ever consider rebooting with the infected drive, before you shut it off, disable "System Restore" on all drives, because rootkits and malware love to hide there, so they can persistently re-install themselves. That would be the one thing I might do before a hard power-off, but typically, I would just, as you indicated, "yank the plug."

Slayer_
Slayer_

Your better off trying to clean it up immediately without shutting it down. Sticking it in another computer means you failed. A good portion of viruses and rootkits can be defeated with a simple virus scan done before the computer is restarted.

AnsuGisalas
AnsuGisalas

It's often like the blog is the "opening remark" of a brainstorm or freethink session - superficial, but enough to get people to home in on what's going on - bringing with them the real meat.

Neon Samurai
Neon Samurai

I've got mod-security on my plate here first though.

JCitizen
JCitizen

of a rootkit, but Avast uses GMER technology to root them out. I'm not saying any one thing is good for nasty rootkits, but at least those can be on the machine in the first place. Many live CDs require you have the brand name of the AV already installed or the CD will leave you a message that it can't help you.

AnsuGisalas
AnsuGisalas

I don't have imaging yet, but rootkits are a good reason to get it. I'll wait until I have a certifiably clean system to image though.

bitdoctor
bitdoctor

In no way did I mean NUKE THE RECOVERY PARTITION (and I never said nor indicated that)! Heck no! Often times, that partition, since it often sits on like a "D:" partition, has not been touched, and you can copy/slipsteam the o/s off there, to a new ISO or new CD to re-create your system. Some vendors even have made a 'cd generator' exe that will make the cds/dvds from that partition. Please understand that I meant the OTHER "system restore" - i.e., that feature of Windows XP and higher, under Computer Properties, where it says "System Restore" (i.e. "Restore Points") - I'm sleepy right now, but NOW you know what I mean - that part that allows you to "roll back" any recent updates and config changes, to a point in time BEFORE those changes took effect - THAT 'System Restore' - not the OEM/Vendor 'System Recovery / Restore Partition.' Please don't confuse those two - or you get in BIG trouble - ;-) BOTTOM LINE: The REALLY smart viruses and rootkits hide in that 'system restore' area, and, even if you wipe them off the system, as soon as you reboot, the "mothership" call them OUT of that 'restore point' area and back into action - I have had to kill several of those types - nasty buggers!

Who Am I Really
Who Am I Really

about System volume Information I wouldn't touch two files: - MountPointManagerRemoteDatabase - tracking.log they're some weird NTFS stuff - MountPointManagerRemoteDatabase holds the list of Junction / Mount Points, it will be 0 bytes if there are no drives mounted in NTFS folders - tracking.log I haven't bothered to find out what exactly this one is or does, but on all my systems it's 20KB (20,480Bytes)

Neon Samurai
Neon Samurai

I'll have to try that on the test machine at work. If it's simply file permissions that can be changed, I'll call it user error in my case.

Who Am I Really
Who Am I Really

I get access to that folder within the first 20 minutes of a windows install / setup it's easy, from within an admin. account: - right click on it (system volume information) - select the security tab - click the advanced button - click the "allow inheritable permissions ... - now all admin. accounts can look in and modify the contents

Neon Samurai
Neon Samurai

One of the things that first got me using a liveCD for scanning and cleanup was an XP machine where not even user Administrator can delete files from the system recovery tree owned by user System. Popped in a liveCD for something that didn't have absolute respect for NTFS permissions and away went the offending files. (unfortunately, not a system I was free to nuke and pave)

ctrogers
ctrogers

As an alternative, I've had system restore rescue systems that I couldn't fix any other way. Note: This is on other people's systems, and they nearly always don't have the cds to reinstall all (or any) of their software, so a complete reinstall is the last option.

gechurch
gechurch

The first reply to your comment sums it up pretty nicely. My last job was as a computer tech, so I dealt with this stuff all the time. Our shop changed our process due to malware. We used to pick a machine up, boot into Windows, look around and confirm the problem etc. I played around with rootkit scanners but quickly realised they were a poor idea. You are running a tool in an already compromised environment. Sure, they might pick up the infection. There's every chance they won't, and they take too long anyway. So we changed our process so that 30 mins before the end of the day we would pull the drives out of all the machines on the "Jobs Waiting" shelf and plug them into spare machines. The machines were set up with Windows and four A/V and malware scanners. I also wrote a script that loaded the slave drives registry offline so that could be scanned, and another tool to read the common startup locations offline ("Autoruns offline"). Finally, another script would delete temp files, and common files that we knew belonged to infections. The guy who came after me automated this even more. They now press a button, and the registry is read offline, the four scanners all load and run, when finished the results are automatically put into the job tracking system and the temp files are deleted. This cut our time down hugely. We would come in the next day, put the drives back in their original machines and boot up. Half the time the job was as good as done. Occassionally we had other effects that needed tidying. For jobs that weren't fixed it meant we could discount viruses as the likely cause. This saved countless hours. And every time we ran into something this process didn't fix, we added it to the script to manually search for and find it (things like .exe files in C:\Windows\Fonts directory). Suer, you can fight the good fight within the compromised environment, but you shouldn't be very confident when you give the machine back to the client, and you certainly haven't done them any favours in terms of time charged.

etienne
etienne

neon, try MBAM i've been cleaning desktops for many years using boot images (e.g. UBCD4W) running six (and more) different malware scanners - to me that was the ONLY way to clean properly, almost a religion started using MBAM about a year ago and it just seems to collectively catch almost (AND Clean) everything in my own comparative testing (boot image & offline scans vs MBAM whilst in windows) the difference between the two methods is about 0.9% detection (wise spectrum), but the hands-on time involved decreases by about 80% there are occasions where i still (after MBAM) go through my full routine, but in retrospect it has not been necessary now for at least the last 250+ systems (almost a year) if/when i have any uncertainty and a particular system is mission-critical i kill and rebuild (but only after a dban on the drive) give it a shot !

bitdoctor
bitdoctor

True that you don't necessarily "need" a 2nd system, nor a 2nd O/S for that matter, but both are recommended for added speed, copying off the data from the infected drive, etc. Actually 2nd O/S is not really needed, if you are not 'booting' the infected drive, and not ever having any chance of accidently clicking/running anything on the 'slaved' infected drive. I use 2nd computer so I can copy off the user's data (doing that now, as we speak), then format the drive, set it up to be ready for new o/s install, etc. Saves a bunch of booting/rebooting, etc. I can even copy the o/s install files to a partition on the newly-formatted hd, then I'm ready to slide it back into the other system, and boot/build.

bitdoctor
bitdoctor

In Washington DC, at the Pentagon and at a "Tempest" PC outfit (which must remain nameless for now - Google 'Tempest' if you don't know what it means - basically RF-sheilded & EMP-shielded computers - and they are *HEAVY*) we definitely were required to physically destroy the drives via 4 methods (not all at once - we typically would use one or two) 1) Sledgehammer! Not perfect, but makes 90% plus of the data non-recoverable 2) Thermite and/or Frog-in-a-blender methods - melt it down or grind it to bits - both are effectively 100% non-recoverable 3) HUGE UBER-STRONG magnet multi-wipe - we had massive industrial electromagnets, just for this purpose, and they were incredibly intriguing! Just don't wear a lot of loose metal jewelry when you hit the degauss button! 4) Multi-wipe with a low-level zero-fill utility. You are right - triple-wipe should not be needed for SSD. You also are right that there is no hard evidence that triple-wipe on a magnetic drive gains a typical non-terrorist any great advantage. FBI, NSA and CIA probably already have copies of your drive via proximity-based magnetic resonance leeching technology, which effectively does a "live Ghost" copy of your drive over the air (OOPS! was that still 'classified?' ouch, I'm in deep trouble now!), without them ever having to come into your house and physically touch your drive - IF you are a terrorist, I mean - but if you are Joe User, who is not counterfeiting 100 dollar bills, and not threatening to blow up the world, then a single wipe is adequate and is better than just delete or shift-delete.

DNSB
DNSB

SSDs should just need one write to the entire drive since they don't have issues that magnetic drives have with track wandering. Quite often even the simplest option of overwriting the first and last segments of the drive with 0's is sufficient for any drive. If you are worried about someone with the proper tools recovering your data from a magnetic drive, the multipass overwrite is good. Of course, if you are that worried, taking the drive out and using thermite to melt it down might be a faster and better option.

Neon Samurai
Neon Samurai

Avira detected 26 files but I only use it to identify. It didn't have much luck cleaning and I'm not ready to let it delete when I can still boot Backtrack or similar and know what I'm deleting. Bitdefender detected 4 files and was not able to clean them. Knowing what the files where, I chose to delete which it had no trouble doing. Fsecure detected 36 (beyond the 4 already deleted) and cleaned or renamed. Kaspersky is on deck but I'm going to risk a Windows safe mode boot once I get win32 tools collected on a CD. F'ing Fake AV!! I hate that guy..

pgit
pgit

The Linux live CD has been a game changer. Thanks Tomas M. for inventing the underlying scripts: http://www.linux-live.org/ there's goo reason that site looks like this one: http://www.slax.org/ one and the same developer. Slax is my first go-to for system recoveries, it's highly hardware compatible. And you are quite correct about commercial AV being tight with 'proprietary' information. Their loss. Open source is definitely the model for successfully pushing back against the mayhem. As closed source products go, I have been setting folks up with windows defender lately. It gets high reviews, you'd have to imagine the insiders would have an easier go at getting this sort of thing right. It also gets me off the hook with licensing. First thing it does is verify the license as valid. If it isn't it won't install. (at least I haven't tried to end run it) It probably hooks something back to Redmond a little more closely than my personal tastes could tolerate. But I don't run windows for anything but testing, and on isolated networks. For my clients, though, Win Defender seems to be an excellent choice. It doesn't bog the system down as much as the other commercial products and it's alleged to be near the top in detection and prevention, according to 'independent' testing.

ultimitloozer
ultimitloozer

Almost all viruses can be removed without having to take down the machine, but any rootkit written by someone who knows what they are doing will not be removed unless the source is offline. You may be able to detect the rootkit on the machine, but removal while it is running will be exceedingly difficult, if not impossible. You do not need a second machine either, just a clean boot source (liveCD, WinPE/BartPE, flash drive, etc). All you need to do is prevent the rootkit from starting so self-hiding is impossilbe and removal becomes possible.

Neon Samurai
Neon Samurai

32 writes on the drive. That would burn Flash memory out quick with it's write limit and would noticeably shorten the life of a platter drive if your doing it regularly.

fashizzlepop
fashizzlepop

3 passes is way more than enough to hide from local police. 5 is way more than enough for FBI. If You are in such deep shit Russia is scanning your drives, you might shoot for 7 max. No point going further. 32 passes is like Martians running cloud servers trying to crack your info, and IMHO, they could read your mind easier than trying to read after 32 passes.

Neon Samurai
Neon Samurai

I see the reaction with extreme hostility as erring on the side of caution. When presented with something new, the state of the art in malicious software, consider the potential outcomes. One can say "I have 20 years of experience so therefore any new malware I see must obviously behave the same as what I've seen in the past." The positive outcome may be a quick AV scan that manages to catch any lingering malware. The negative outcome is missing a trick you haven't seen before resulting in data loss or wasted time revisiting the same infestation. One can also say "I have 20 years of experience and have learned that software is ever evolving. This may be something new or something old with new tricks. I should treat it with the assumption of being state of the malware art." The positive outcome is that you catch all of it and discover that it is something new and interesting; you learn something. The negative outcome is that you spend more time than expected to find out it's only something old and nearly harmless now like Slammer. In one case, your making the choice to be surprised by a negative because you ignore the possibility of it being something new or ignored the possibility of using a specific tool due to OS religion or whatever rationalization you gave yourself. In the other case, your making the choice to be surprised by a positive outcome by assuming the worst and taking appropriate steps for that worst case scenario. If I'm going to assume, I'd really like the be surprised by a good outcome; better for the user I'm supporting and more opportunities for happy surprises. These days, pulling the drive as a first reaction may be over the top unless you have pre-imaged replacement drives to slap back in (and assuming that kind of uptime requirements). It's not like the days before easily bootable OS on removable media where getting at a drive through a secondary OS did usually mean a second workstation. Also, I wouldn't hold Norton up too proudly. No AV catches everything and Norton isn't ranking as high as others for detection. It used to be back and forth between Norton and McAfee but both have been outclassed. Even given an AV ranking at the top of the list, I'd still confirm with two or three different scanners. Things may be different if AV companies where sharing signature data but with the scanning engine and signature data both being considered competitive advantage, it's not as simple as picking a single brand name.

Timbo Zimbabwe
Timbo Zimbabwe

Only twice have I actually had to slave a drive on a different PC because the kit had really dug itself in. Both times I ran a virus scan (Norton) which found and removed it. Seriously, I've done PC support for nearly 20 years and I see such reactionary statements being made in these posts.

Neon Samurai
Neon Samurai

You don't even need the external HDD box anymore, get a drive doc with IDE and SATA slots unless your regularily dealing with a different connector. There is also the three in one HDD to USB connectors but for this type of thing, you probably want eSATA when your ripping the drive down to an image or otherwise reading over the full size of the platters.

ctrogers
ctrogers

With SSDs (Solid State Drives) coming down in price, you should probably just overwrite the drive with zeroes, as from what I understand, filling the drive with random garbage can cause havoc with most SSD write speeds. (Writing zeroes should be fine against anything but an attack by the CIA or KGB.)

pgit
pgit

Indeed most of the rootkits I have dealt with were in the MBR. But I trusted all those drives for a reinstall after using "Darik's boot-n-nuke." It can do a number of different wipe techniques, but all of them start with sector zero, i.e it wipes the MBR. On occasion one pass isn't enough to do so, however. What I do for the persistent ones is start another wipe with DBAN and let it go for a minute or two, it starts at sector zero so a minute is enough that it wiped the MBR. (in this case again) I shut off DBAN and start it up again and repeat, running for a minute or two. I have never had to do this more than twice, meaning one complete run of DBAN and 2 one to two minute scans afterward. http://www.dban.org/

DNSB
DNSB

Quite often, only one computer is needed. There are quite a few bootable CDs (either downloadable or how to on rolling you own) that will allow you to clean a computer by booting from an optical drive so no files on the hard need to be accessed. I've also used similar tools from a bootable USB drive but more systems will boot from an optical disk and less worries about it being written to. If I have the time, my personal preference is stuffing the drive into an external holder, scanning with several tools and then copying data. After that, I use SDD (Secure Data Destruction) or it's cousins to overwrite the entire drive with random garbage before doing a re-install. Bit time consuming but safest. As usual, YMMV.

impcad
impcad

Bitdoctor is spot on. Having spent a good piece of yesterday trying to clean up a rootkit using multiple tools (ComboFix, AVG, MalwareBytes, etc.), the bugger could not be fully removed. Step 4 says it all "reformat and start from scratch" because that is the ONLY way you can be sure it is really cleaned. Good thing I alway partition the drive and instruct users to put personal data on the D drive; makes a re-install a bit less painful.

bitdoctor
bitdoctor

You are not "sticking it in" another comptuer, per se, you are [using] another computer, with this 'rootkit-infected drive' as a 'slave' via USB or other secondary adapter (key is "secondary") - you are not "booting" a 2nd computer with this infected drive - it is passive and can then be scanned, dissected, etc. Granted, you need some 'rootkit discovery and eradication' tools to run against the secondary drive. So, you are using the infected drive in a "non-boot" mode, thus the rootkit cannot harm you. And this is the method I've used to clean a large number of rootkits - of course, ones that cannot be cleaned require full format - but the gist of this is, 1) CONNECT the drive, as a [slave], to a 2nd computer 2) Get your data IMMEDIATELY off the drive 3) Attempt cleaning measures 4) Ignore step 3, because you really should reformat and start from scratch 5) Put your data back on the newly formatted drive 6) Stay away from places where you get infected with rootkits 7) Have a drink and hope your identity wasn't stolen

bboyd
bboyd

Assuming its dropper did not restart your computer most I've seen only got noticed long after multiple restarts. If you have concealed folders and registry hives its already past that point. I'd never trust a drive again, without a full partition format and reinstall, given the possibility of it modifying the MBR.

Jaqui
Jaqui

are the mac daddy of malicious software because virus scans don't catch them, it takes a specialized rootkit scanner to find them.

Editor's Picks