Discussion on:
View:
Show:
The problem, when, using something like Rootkit Revealer, one has a list of possible anomalies is to know what can be removed and what needs to be left alone because it is needed by installed applications or even by AV products @?
I didn't learn something new. I need to know what to do, the possible symptom of rootkit presence and how realy remove it. Not just go on F-secure , etc.
Sorry, for that information you'll need to enroll in Windows rootkits 201. Down the hall, second room on the right.
Luckily, the Windows Rootkits 201 class is mercifully short. It consists of nothing more than this:
0. You should already have backups of all your data.
1. Wipe the system.
2. Reinstall the OS (or restore it from a pre-rootkit image, if you're positive it wasn't compromised at that time).
3. Restore important data from backups, making sure to check it for malicious code as you go.
Once a system has been compromised by a rootkit, you can never trust it again, because there's no reasonable way to be certain you've found out about all the changes that have been made. Sad but true.
edit: Actually, that's just Rootkits 201 (rather than Windows Rootkits 201), and isn't OS-specific, since the same applies to any OS that has been compromised by a rootkit.
0. You should already have backups of all your data.
1. Wipe the system.
2. Reinstall the OS (or restore it from a pre-rootkit image, if you're positive it wasn't compromised at that time).
3. Restore important data from backups, making sure to check it for malicious code as you go.
Once a system has been compromised by a rootkit, you can never trust it again, because there's no reasonable way to be certain you've found out about all the changes that have been made. Sad but true.
edit: Actually, that's just Rootkits 201 (rather than Windows Rootkits 201), and isn't OS-specific, since the same applies to any OS that has been compromised by a rootkit.
I am an IT student right now and always remember the words of one of my favorite instructors when a system we're working on gets hosed.
(sung to the tune of Camptown Ladies)
"FDISK, Format, Re-install... Do dah Do dah"
repeated at least once or twice with a smiling and knowing visage of one who's been there many times.
Sometimes it's the only way to regain system trust.
(sung to the tune of Camptown Ladies)
"FDISK, Format, Re-install... Do dah Do dah"
repeated at least once or twice with a smiling and knowing visage of one who's been there many times.
Sometimes it's the only way to regain system trust.
A well thought out step by step guide ,and works.
Recently being a victim of a "Rootkit" my only option was to use "System restore" which wasnt the right choice ,I then had to use the "System recovery" and start over.
It was a inconvience ,but the only cure.
Recently being a victim of a "Rootkit" my only option was to use "System restore" which wasnt the right choice ,I then had to use the "System recovery" and start over.
It was a inconvience ,but the only cure.
Question... if my data is backed up to a slave drive, is it safe from rootkits and viruses etc.? Can I re-install my software, then restore my data from my slave drive? My data being copies of MS Word docs and MS Excel etc. Thanks!
To the extent that it is accessible to you while using the computer, it is accessible to someone that has gained administrative access on that same computer. Period. Once someone is putting rootkits on your computer, everything is accessible.
That doesn't necessarily mean that everything is compromised, in terms of data. The danger of keeping something after getting rootkits installed on your system is proportional to how executable it is. In other words, a .exe file you have is most suspect, a data file that can carry macros (based on the file type) that are executed by the application that is used to access the files is somewhat less suspect but can still be dangerous (may redownload/reinstall trojans and rootkits, et cetera), and a plain text file is pretty much entirely trustworthy (as long as you check to make sure it's still just a plain text file).
As much as possible, you should ensure that you have text backups of all your important data. That way, you're covered in case of getting compromised -- you can restore from backups, and you'll be sure that the text-only data is not going to endanger you when it's restored.
That doesn't necessarily mean that everything is compromised, in terms of data. The danger of keeping something after getting rootkits installed on your system is proportional to how executable it is. In other words, a .exe file you have is most suspect, a data file that can carry macros (based on the file type) that are executed by the application that is used to access the files is somewhat less suspect but can still be dangerous (may redownload/reinstall trojans and rootkits, et cetera), and a plain text file is pretty much entirely trustworthy (as long as you check to make sure it's still just a plain text file).
As much as possible, you should ensure that you have text backups of all your important data. That way, you're covered in case of getting compromised -- you can restore from backups, and you'll be sure that the text-only data is not going to endanger you when it's restored.
As said by apotheon and others, root-level rootkit may affect everything available on your computer (PC is to restrictive :D).
So, even data on slave disk may be corrupted. The only things your can trust is hardware write-protected data (ie not software/OS -dependant) or backups that could not been access by the infected computer.
You may also rely on data if you have comparison (hash) databases that were protected, and if you compare them using a trusted tool (ie not running on the infected computer).
May be the book "Rootkits: Subverting the Windows Kernel", from which I learned a lot, would be an interresting introduction !
So, even data on slave disk may be corrupted. The only things your can trust is hardware write-protected data (ie not software/OS -dependant) or backups that could not been access by the infected computer.
You may also rely on data if you have comparison (hash) databases that were protected, and if you compare them using a trusted tool (ie not running on the infected computer).
May be the book "Rootkits: Subverting the Windows Kernel", from which I learned a lot, would be an interresting introduction !
You bring up a good point -- integrity verification via snapshots and/or hashes can ensure your data (and even software) is still good. That assumes, of course, that your integrity verifying software and snapshots/hashes are safe from modification (similarly to backups inaccessible from compromised systems).
I'm not sure what you're using the slave drive for (just back-ups)? Safer would be periodic back-ups to an external drive (FireWire or USB2). Also, don't just save the last back-up, as it may also be compromised. Depending upon the size of the data, a DVD burner is a good option for data back-ups. You should be able to find an external enclosure for the slave drive for $50.
So, if I back-up my important data to a DVD with the (suspected) infected PC, the data on the DVD won't be affected?
Does it have to be an external drive - I mean, if the infected PC is sending the data to a DVD drive, it shouldn't matter if the data travels through the IDE cables or Firewire/USB shouldn't it???
I don't know, I'm asking.
Does it have to be an external drive - I mean, if the infected PC is sending the data to a DVD drive, it shouldn't matter if the data travels through the IDE cables or Firewire/USB shouldn't it???
I don't know, I'm asking.
Data on write-once media cannot be changed once it's recorded there. That means that a computer that has been compromised cannot (yet) affect the data already on that write-once media. That doesn't mean that saving data to optical media magically cleans up the data, though.
Good article.
What do you think about Gmer, this excellent free software ?
What do you think about Gmer, this excellent free software ?
Here are some tricks that I learned for removing viruses.
http://www.techsack.com/2007/08/13/remove-those-viruses-that-your-anti-virus-program-couldnt/
http://www.techsack.com/2007/08/13/remove-those-viruses-that-your-anti-virus-program-couldnt/
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
