Once you have security measures in place to protect you against unauthorized access to your computers and data, as well as the means to detect rootkits in case security is compromised despite your best efforts, you should have a plan ready for recovering in case the worst happens. Rootkit detection is a little different from one operating system platform to the next; whether you're using Microsoft Windows XP or FreeBSD makes a difference for what tools you'll use to detect rootkits.
The procedures for recovering from a rootkit infection, however, are effectively the same no matter what platform you're using.
Describing what you need to do for recovery from a rootkit infection is relatively simple. Actually doing it can be a bit more complex, however, and a lot more stressful. Keep your head about you, be methodical, and don't leave any loose ends — you don't want to leave yourself vulnerable to easy reinfection.
There are actually six steps to recovery, but the list starts with an Item 0 and counts up to five, because part of proper recovery requires that you are prepared for a potential rootkit infection long before such an infection actually occurs.
The important thing to remember is that once you've had a rootkit installed on your system, you can never trust anything executable on it again without having some way to independently verify it from outside that system. Anything that cannot be trusted must be thrown away and replaced. The following steps to recovering from a rootkit infection are all based on the assumption that the compromised system can no longer be trusted.
If you find yourself in the unenviable position of needing to recover without having made all the necessary preparations, things get a bit messier. Depending on what you have and have not done to prepare, what you'll need to do differently will change. For instance, if you do not have backups of critical data, you will need to be able to access your data safely and convert it to a safe format — unexecutable plain text.The best way to do it would probably be to just pull the drive, access it on another system booted from a LiveCD OS that will not automatically execute or open anything on that drive, then use safe tools to extract text from other document types. For instance, tools like catdoc can be used on UNIX and Linux systems to dump the text contents of a Microsoft Word .doc format file.
If simple access to your system is in itself a problem regardless of whether you have everything in place for recovery, additional measures will need to be taken to mitigate the damage that may cause. For instance, if you're recovering a database server that manages credit card numbers, the owners of those credit cards will need their privacy and financial security protected as much as possible.
Plan ahead, think things through, and trust nothing without a very good reason. That's basically all there is to it, in principle. In practice, it can be one of the most frustrating, stressful, and difficult experiences of your career — but if you plan ahead and manage the crisis well, it doesn't have to be the end of the world.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.