Hey, Friends,

I have a couple of questions & comments that I hope may ultimately lead to a useful thread. Bear with me as my knowledge of rootkits is a bit limited & I apologize if this is a bit naive, but at minimum it might be a nice resource for future well-intentioned Wilder's noobs such as myself...

My understanding is that broadly speaking, these beasts fall into two categories. The first hide the physical evidence of themselves by modifying/replacing core os components, redirecting api calls, etc. The second, and I may be wrong here, are virtual constructs, i.e. the malware is created dynamically on the fly, by whatever means, hiding in ADS, etc., and, I would assume only survive in memory. If they were able to survive a reboot, then I'm thinking that the mechanism involved would put them at least partially into the first category. My point in a minute... :)
I would ask some of the developers & pros here to critique the following:

Assuming that there _is_ a physical component to the malware(1st case)-
Let's mount the suspect hard drive in another physical system. Boot that system from a known clean PE cd or equivalent with current tools such as TDS, Kaspersky, etc. Even better if said PE has OS at same revision level as suspect drive OS. You see where I'm going. Do a binary compare on all the OS components. Scan the hell out of everything. Load the suspect hive, export & whack anything that moves at startup.
Now I do understand that this approach is somewhat signature-dependant. But I also think it depends to a high degree on the heuristic strength ( sorry, had to use the h-word...) of the tools involved (why I pine for TDS :'( , & believe it is still viable- folks _will_ continue to get infected with "old" bugs)
I've used this approach to clean up some fairly ugly stuff. However, my yardstick for success could be flawed.

My point: There seems to be a strong opinion that reformatting & reinstallation is the only way to effectively clean a rootkit infection. I'm looking for the experiences of the been-there, done-that's on both sides. Thanx for reading.
P.S. I do have a life. I know that reformating is faster & less trouble, but there are those cases ;)

--==Forestcat==--

Hi FC,

The only Guaranteed worry free way to be rid of RK's after infection, once you (know) you have one, is to Buy/Build a new PC.

Why, because it is (claimed) that some can still lurk on the motherboard itself, in the BIOS for example. Also on boards connected to it such as, Video card etc. In fact any Area/Item capable of storing data. I've even heard in monitors too. I'm not sure about that, but hey ?

That's apart from replacing the HD of course, which you could fdisk and reformat etc instead, and may be cleaned in the process. But putting in a brand new one eliminates any doubt of traces etc.

Inspecting a HD etc from a seperate source, and/or as you suggest, with the various numerous tools available, is often mentioned as a suitable method for attempting to Discover/Remove RK's.

This may/can work depending on the skill of the person doing it, and/or the actual Tools/Method used. If something/s are found and removed, it must still leave lingering doubts.


StevieO

StevieO,

-{ Quote: "The only Guaranteed worry free way to be rid of RK's after infection,
once you (know) you have one, is to Buy/Build a new PC." }-

Yup, the operative word there being "Guaranteed". Like cancer, kill yourself, and its guaranteed it won't come back... Now in the real world...

I remember a buzz about bios, etc. h/w infections, about 10-12 years ago, when EEPROMS first started showing up on mobos. Anecdotally, I'd be very curious about anyone who has recently had any recent experiences with NVR infections. Yes, it does worry the sh!t out of me, for a multitude of reasons, more of them privacy than security based. I don't put it past the current crop of OS's to do something like that. Like writing gui's to servo tracks (is that possible? ::) , etc. That's for another thread though...

IMO, the relative risk of my approach is tied to whether any of these rootkits & their offspring have long fuse, to speak. i.e, I can put an external packet sniffer upstream of the ressurected box & see what its up to to some degree. But if the thing is programmed to reactivate on the Martian New Year, and send a keylog home to Uranus or wherever, that's where I can only hope that prohylaxis like ProcessGuard, et. al, can neuter it.

Again, in theory, I agree w/ you 100%. I'm pretty much aware of the hypothetical pitfalls of my approach, that's why I'm looking for some real world experiences of others. You know the old adage (sp? about car security systems, If they want it bad enough, they'll get it. I think it applies to IT security nicely. Otherwise "hardened" systems, (and I mean hardened by people who are kept in basements and subsist on coffee, pizza, Newport Menthols, and code 80xxx assembler for relaxation...) would never be hacked. Its a moving target, and we do the best we can. I'm here now because of a recent client's system that was so badly compromised by relatively low-risk web surfing, that it has forced me to reconsider everything I've ever held sacred about pc security. I'm back in school, as they say... And I do understand that prevention is something altogether different than this thread topic, I only mention this for... ::) hmmm., why did I mention it? Sorry, I digress...

--==ForestCat®==--

Well here's from the rootkit site, three entries in a row cut and pasted:

-{ Quote: " MTDWin
A driver that will identify writable memory chips / FlashRAM / EEPROM on the motherboard.
description
message board

NTFSHider
A driver that stores data in 'bad blocks' or unallocated clusters on an IDE drive/NTFS partition.
description
message board

VideoCardKit
A driver that can store executable code in a FLASH or EEPROM and submit this code to be executed from the video processor in order to patch kernel memory. " }-

Thing is that if you've got the infected harddrive out and on another machine, you should be able to detect what it is. If you can detect what it is, you can look it up and find out what all it does. If you got one of the above, you could just take measures to clear the bios of the infected components. If you've got bad sectors on the harddrive, it's a probably good idea to replace it anyway. I usually do this research anyway, when cleaning up an infected machine, because I want to make sure that I'm not backing up any trojan files and putting them back on the machine when it's formatted. However when it comes to a machine that's been infected with anything particularly bad, such as a RAT, keylogger, or rootkit (haven't seen a rootkit yet, but it's been a little while), I would be formatting anyway.. I wouldn't want to take the chance that I may have left something behind. We all know that scanners can miss stuff, if they've already got several hundred infected/trojan files on there then the chances are greater that 1 was missed, and those have a tendancy to be the worst.

The upside is that a lot of motherboard BIOSes have gotten a lot easier to flash, and many have gone back to putting in the feature of a "virus warning" when something writes to the boot sector. My new motherboard has a utility that will download the latest firmware for you, clear the BIOS, and flash it with the new one.. very quick and painless.. amazing what they can do with a driver these days, huh? :)