Rootkits 201

Once you have security measures in place to protect you against unauthorized access to your computers and data, as well as the means to detect rootkits in case security is compromised despite your best efforts, you should have a plan ready for recovering in case the worst happens. Rootkit detection is a little different from one operating system platform to the next; whether you're using Microsoft Windows XP or FreeBSD makes a difference for what tools you'll use to detect rootkits.

The procedures for recovering from a rootkit infection, however, are effectively the same no matter what platform you're using.

Describing what you need to do for recovery from a rootkit infection is relatively simple. Actually doing it can be a bit more complex, however, and a lot more stressful. Keep your head about you, be methodical, and don't leave any loose ends -- you don't want to leave yourself vulnerable to easy reinfection.

There are actually six steps to recovery, but the list starts with an Item 0 and counts up to five, because part of proper recovery requires that you are prepared for a potential rootkit infection long before such an infection actually occurs.

The important thing to remember is that once you've had a rootkit installed on your system, you can never trust anything executable on it again without having some way to independently verify it from outside that system. Anything that cannot be trusted must be thrown away and replaced. The following steps to recovering from a rootkit infection are all based on the assumption that the compromised system can no longer be trusted.

0. Be prepared. Keep good backups, regularly, and make sure any critical non-plain-text data that you can't afford to just throw away is backed up in a manner that doesn't require the system you want to protect to have direct access to the backups. Make backups as plain text as much as you can, for reasons that will become clear in the rest of this list. 1. Disconnect the network. Once the system is compromised, it can be used to compromise other systems. You also want to make sure the malicious security cracker who has compromised the system isn't alerted to the fact that there's something wrong while he or she still has access to the system. In fact, disconnect the power entirely if there isn't a specific reason to keep it turned on, and pull the drive to be analyzed from another system if you must. 2. Document everything. Analyze the intrusion. In addition to simply recovering the system and the data on it, you must also try to find out how you got compromised in the first place, what problems there may be with your recovery procedures, and how best to avoid this situation and minimize the damage in case you don't avoid it in the future. 3. Reinstall your OS. Remember: When you've had a rootkit installed on your system, you can't trust it any longer. Everything has to go. It may be that thanks to a good integrity auditing tool such as Tripwire you can be reasonably sure that some components of your system are still good, but ultimately you're better off reinstalling the system from scratch or restoring from a known good image. 4. Restore your data, but do it carefully. Even if you have backups from before a time when you detected the rootkit, it's possible that the compromise just wasn't detected right away. As much as possible, restore data from plain text, and throw away any non-plain-text data that isn't of critical importance so you don't run as much risk of getting reinfected by your data files. 5. Monitor your system closely. The period immediately after restoring your system is a touchy one, where you must take great care to look for signs that you have actually eliminated all signs of compromise and are not the target of an ongoing attack that may quickly crack security again. Watch other systems that may also have been compromised, especially those that may have been compromised from the system you've just restored and those that may have been used as a jumping-off point to get to the system you've just restored.

If you find yourself in the unenviable position of needing to recover without having made all the necessary preparations, things get a bit messier. Depending on what you have and have not done to prepare, what you'll need to do differently will change. For instance, if you do not have backups of critical data, you will need to be able to access your data safely and convert it to a safe format -- unexecutable plain text.

The best way to do it would probably be to just pull the drive, access it on another system booted from a LiveCD OS that will not automatically execute or open anything on that drive, then use safe tools to extract text from other document types. For instance, tools like catdoc can be used on UNIX and Linux systems to dump the text contents of a Microsoft Word .doc format file.

If simple access to your system is in itself a problem regardless of whether you have everything in place for recovery, additional measures will need to be taken to mitigate the damage that may cause. For instance, if you're recovering a database server that manages credit card numbers, the owners of those credit cards will need their privacy and financial security protected as much as possible.

Plan ahead, think things through, and trust nothing without a very good reason. That's basically all there is to it, in principle. In practice, it can be one of the most frustrating, stressful, and difficult experiences of your career -- but if you plan ahead and manage the crisis well, it doesn't have to be the end of the world.