Malware optimize

Rootkits 201


Once you have security measures in place to protect you against unauthorized access to your computers and data, as well as the means to detect rootkits in case security is compromised despite your best efforts, you should have a plan ready for recovering in case the worst happens. Rootkit detection is a little different from one operating system platform to the next; whether you're using Microsoft Windows XP or FreeBSD makes a difference for what tools you'll use to detect rootkits.

The procedures for recovering from a rootkit infection, however, are effectively the same no matter what platform you're using.

Describing what you need to do for recovery from a rootkit infection is relatively simple. Actually doing it can be a bit more complex, however, and a lot more stressful. Keep your head about you, be methodical, and don't leave any loose ends -- you don't want to leave yourself vulnerable to easy reinfection.

There are actually six steps to recovery, but the list starts with an Item 0 and counts up to five, because part of proper recovery requires that you are prepared for a potential rootkit infection long before such an infection actually occurs.

The important thing to remember is that once you've had a rootkit installed on your system, you can never trust anything executable on it again without having some way to independently verify it from outside that system. Anything that cannot be trusted must be thrown away and replaced. The following steps to recovering from a rootkit infection are all based on the assumption that the compromised system can no longer be trusted.

0. Be prepared. Keep good backups, regularly, and make sure any critical non-plain-text data that you can't afford to just throw away is backed up in a manner that doesn't require the system you want to protect to have direct access to the backups. Make backups as plain text as much as you can, for reasons that will become clear in the rest of this list. 1. Disconnect the network. Once the system is compromised, it can be used to compromise other systems. You also want to make sure the malicious security cracker who has compromised the system isn't alerted to the fact that there's something wrong while he or she still has access to the system. In fact, disconnect the power entirely if there isn't a specific reason to keep it turned on, and pull the drive to be analyzed from another system if you must. 2. Document everything. Analyze the intrusion. In addition to simply recovering the system and the data on it, you must also try to find out how you got compromised in the first place, what problems there may be with your recovery procedures, and how best to avoid this situation and minimize the damage in case you don't avoid it in the future. 3. Reinstall your OS. Remember: When you've had a rootkit installed on your system, you can't trust it any longer. Everything has to go. It may be that thanks to a good integrity auditing tool such as Tripwire you can be reasonably sure that some components of your system are still good, but ultimately you're better off reinstalling the system from scratch or restoring from a known good image. 4. Restore your data, but do it carefully. Even if you have backups from before a time when you detected the rootkit, it's possible that the compromise just wasn't detected right away. As much as possible, restore data from plain text, and throw away any non-plain-text data that isn't of critical importance so you don't run as much risk of getting reinfected by your data files. 5. Monitor your system closely. The period immediately after restoring your system is a touchy one, where you must take great care to look for signs that you have actually eliminated all signs of compromise and are not the target of an ongoing attack that may quickly crack security again. Watch other systems that may also have been compromised, especially those that may have been compromised from the system you've just restored and those that may have been used as a jumping-off point to get to the system you've just restored.

If you find yourself in the unenviable position of needing to recover without having made all the necessary preparations, things get a bit messier. Depending on what you have and have not done to prepare, what you'll need to do differently will change. For instance, if you do not have backups of critical data, you will need to be able to access your data safely and convert it to a safe format -- unexecutable plain text.

The best way to do it would probably be to just pull the drive, access it on another system booted from a LiveCD OS that will not automatically execute or open anything on that drive, then use safe tools to extract text from other document types. For instance, tools like catdoc can be used on UNIX and Linux systems to dump the text contents of a Microsoft Word .doc format file.

If simple access to your system is in itself a problem regardless of whether you have everything in place for recovery, additional measures will need to be taken to mitigate the damage that may cause. For instance, if you're recovering a database server that manages credit card numbers, the owners of those credit cards will need their privacy and financial security protected as much as possible.

Plan ahead, think things through, and trust nothing without a very good reason. That's basically all there is to it, in principle. In practice, it can be one of the most frustrating, stressful, and difficult experiences of your career -- but if you plan ahead and manage the crisis well, it doesn't have to be the end of the world.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

13 comments
gtamplin1
gtamplin1

As with other such documents, I think it would be EXTREMELY useful if the document were available as a simply downloadable word processor, or plain text file. What I do with virtually all of these such articles is I copy, paste into a Word document, and THEN read them. Easier to read, and fewer distractions.

percommode
percommode

Good article, sound advice. Some years back I received a bland warning from some AV software that a known rootkit had been installed on my XP box and that I'd be well advised to 'restore from trusted backups'. I tried to - only to find out that my backup media had become corrupted and would not restore. Fortunately rootkits do not survive the nuclear option: low level format & reinstallation are the only trustworthy solutions. Painful, stressful lessons learned: do not trust the integrity of your backup media; keep good, recent backups and test them regularly; use a second, old computer as a functioning work horse for the down-time; keep good, recent backups and test them regularly. You cannot imagine the time, frustration and stress involved.

dsimp
dsimp

A few months ago my main XpPro SP1 box started experiencing a few problems. I had not reinstalled the OS for over a year, so I thought I would do a non destructive re-install. Guess what - it failed and I was informed: Stop 0x0000007B After much research microsoft info advised me there was a memory problem or I had a Rootkit infection. Well Ive tested the memory and the two modules seem ok. I've used a many different pgrms to try and detect the 'rootkit' all with no success. So my OS is still running ok minus: IE, MSmedia player, Restore points etc.. I get by instead using Nero, Google ,Ghost & various others instead but does anyone else in our community really think (as microsoft suggests), this trouble is due to a rootkit? BTW. the PC is always Firewalled/antivir/antispy etc.

Dumphrey
Dumphrey

formatting...do you mean actual geometry rebuild or just zeroing the drive?

apotheon
apotheon

Thanks for the compliments about the article. I agree with everything you said about backups, and have in fact been considering writing about backup procedures for data security in the near future -- at least a quick checklist-type post. We'll see what I feel like writing if/when I get around to it.

?/\/\?|???\/???
?/\/\?|???\/???

Stop code 0x0000007B is INACCESSIBLE_BOOT_DEVICE. "The Microsoft Windows operating system has lost access to the system partition during startup." "Cause: The INACCESSIBLE_BOOT_DEVICE bug check frequently occurs because of a boot device failure. During I/O system initialization, the boot device driver might have failed to initialize the boot device (typically a hard disk). File system initialization might have failed because it did not recognize the data on the boot device. Also, repartitioning the system partition or installing a new SCSI adapter or disk controller might induce this error. This error can also occur because of incompatible disk hardware. If the error occurred at the initial setup of the system, the system might have been installed on an unsupported disk or SCSI controller. Some controllers are supported only by drivers that are in the Windows Driver Library (WDL). (These drivers require the user to do a custom installation.)" Since the problem started after you "thought I would do a non destructive re-install", it seems likely that the problem is related. Unless you previously had reason to suspect a rootkit, I would not be so quick to point the finger at one. Nor would it seem that the memory would be an issue.

compu-tech
compu-tech

if i were you i would do a low level format that will zero kill the hard drive, killing off all data,if you wish to go a bit further take the battery out of the mother board which will kill eeprom resident bugs and then reset bios reinstall windows with service pack 2 get all updates and make sure you have good security software installed, that should kill any root kit, be carefull when installing anything you have backed up as that could also be infected.

robert_devery
robert_devery

Microsoft will blame anything and everything except their crap OS. Not advocating LInux here but I use it and have had very little problem. I suppose it's all a matter of taste.

dsimp
dsimp

Yes microsoft suggests a number of causes to the above STOP error. However after sifting through the only ones which may be applicable to my box in question, I was left with suggestions of either a memory problem or a rootkit. C drive was not partitioned and was always firewalled (by hardware & software) & the antivir/spyware was updated daily etc.. I am more inclined to believe it is a problem or undocumented vulnerability with XP. And I agree I should just wipe everything and start over however the reason I hesitate to do that is because I have installed a number of pgrms that I'm sure I've lost the CD's or archives for. Yes I can I suppose do a manual/inividual resore from a ghost image but by the time I've completed doing that, Quad core cpu's will be old hat. Many thanks to all for the comments received. I guess I'll just live with it. Kind regards.

ben@channells
ben@channells

Format /mbr (master boot record) gets around some virus/rootkits or try Darik's Boot and Nuke ("DBAN")from http://dban.sourceforge.net/ or add as an additional disk in a Unix (personaly I use Solaris) PC on to the disk wipe then install Windows XP

Dumphrey
Dumphrey

like there is several things going on here. First, the registry is corrupt from the sunbelt/removal Windows clean up utility. I have had similar products cause this effect in the past. Second, the boot device is corrupt. I would do the following...1) Boot into Bios, and turn off boot sector protection. Next, boot into recovery console off xp cd, do a fixmbr and fixboot. 2)Then I would install SP2, this can sometimes fix registry errors as it reinstalls a serious chunk of the OS with newer data. You can now turn back on boot sector protection in bios if you want.

dsimp
dsimp

Many thanks for your thoughtful reply. Back in the '80's I worked as a Technician for Telecom Australia so I am aware to always treat A/C with the respect it deserves. The problem on this box started when I was Beta testing Ver2 of Counterspy before it was released. At the time it was pretty bad and so I reported the problems to Sunbelt and uninstalled the pgrm and reinstalled Ver 1.5x which was stable. They advised me to make use of a Windows Install Cleanup utility to completely remove all traces of the beta software I was testing. I did so, however it appears more damage was done by the use of that utility - no matter how carefully it was done. IE & Media Player became unstable & things progressively became worse. It was then I decided to do a non destructive reinstall. That was also when I discovered I received a STOP error (described above) when I tried using my Licensed CD to perform a reinstall. Whatever my motives it appears I am my own worst enemy :) Nevertheless I appreciate your kind reply. Thanks again & regards - DAve

apotheon
apotheon

Encountering an error that is identified as commonly related to problems with the boot device after a failed non-destructive reinstall are almost always a direct result of that failed reinstall. Think about it -- with a non-destructive reinstall, you're trying to overwrite the boot data on your boot device. If something goes wrong with that, you'll have a boot device problem. Basically, the attempted reinstall screwed up the boot device somehow. That's how it looks to me. Now . . . why you were having problems in the first place, and why the reinstall didn't work, is another matter entirely. There are a number of possibilities for why both things might have happened, but a possible single explanation for both is a degraded power supply. If you are not using an uninterruptible power supply that provides conditioned power, fluctuations in the electricity you get from the wall socket may well have degraded the integrity of your power supply unit. This, in turn, then provides fluctuating power to the rest of the system, degrading the integrity (the "health", if you will) of the various components of your computer. This sort of thing leads to weird, intermittent problems that are difficult to diagnose, and it may be that some of the problems you were having with the system in the first place were a result of that, and the failure of the reinstall may have occurred because of some problems with the hard drive electronics, RAM, CD drive electronics, or some other part that doesn't spring immediately to mind at the moment. That may not be your problem, but it's a possibility. If you have someone handy that knows his way around a multimeter, you may want to have your power supply checked out. Don't try it yourself unless you know what you're doing, though, so you don't electrocute yourself.