What do you do for all those captured by the rootkit revealer?
I ran it that comes from Helix CD on my WinXP and there came 100s from running it.
What do you do for all those captured by the rootkit revealer?
I ran it that comes from Helix CD on my WinXP and there came 100s from running it.
You have hundreds of rootkits running??? Take that drive and run it through the crusher.
Or maybe just run some other rootkit tests.
Are you sure they aren't false positives?
I ran it that comes from Helix CD on my WinXP and there came 100s from running it.
Rootkit Revealer doesn't show the actual rootkit(s) that is/are running - what it shows are all the files that are hidden from the normal OS.
Rootkits hide their files by modifying the OS. Once installed, they maybe be running a torrent or FTP site on your system - invisible to you.
In my security classes I demo this with the Sony RootKit - we scan the clean system with Rootkit Revealer to establish a baseline, toss in an infected Sony Music CD (purchased off of eBay), and run the scan again - there is now a bunch of hidden files.
Rootkit Revealer looks at the disk from the OS, and then at a lower level, bypassing the OS. On a normal system, NOT infected by a rootkit, you should see almost nothing (sometimes there are a few files… 5 or 6 that the OS hides from you). But if you are infected - boom! - you will see dozens/hundreds/thousands of hidden files (your milage may vary).
Now is where the fun begins - you basically got three choices.
1. try and figure out what rootkit you have and see if there a way to remove it - usually pretty tough.
2. nuke that hard drive from orbit. Get a really good eraser program and wipe it clean - make sure it kills all partitions, and the boot sectors - everything. Don't save any files from it, since you don't know the infection vector.
3. Get a new hard drive - some people will NEVER trust a drive (or even a system) once it has been rooted, even if it wiped.
When we come across a rooted system we always nuke it…
But hey, I could be wrong,
bj
"I say we blast off and nuke it from orbit." from Aliens
Well, since none of us can see what the OP is seeing, is it really such a good idea to recommend nuking the boxen?
Heck if I know. I just always wanted a reason to use that line from the movie.
Heck if I know. I just always wanted a reason to use that line from the movie.
Be careful when quoting movies out of context (and without knowing exactly where OP is) wink
http//
Hicks How long 'till it blows?
Bishop 4 hours. The blast radius is 200 miles. Force is equivalent of 30 megatons.
lol
jaclaz
Well, since none of us can see what the OP is seeing, is it really such a good idea to recommend nuking the boxen?
I was just trying to present all the options…
Nuking the box wasn't the first recommendation - trying to remove the rootkit was. But these things are nasty. If they have a good set of backups (who knows, it could happen), then nuking the drive won't have too much effect - but if the backups are also rooted… oh well.
I remember stumbling across one infection that loaded 3 fake dlls… if you killed one, the other 2 would rebuild it… nasty and took a lot of work and several attempts to get rid of it.
And rootkits, by default modify the OS to hide itself, and digs in tight, like an alien face hugger. You may be able to removed it, but I don't think you want to eat breakfast with the newly disinfected system the next day 😯
bj
"…trying to remove the rootkit was."
Understood, but we're not even sure that there IS a rootkit on the system…simply running the tool and saying "..and there came 100s from running…" doesn't mean that there's a rootkit at all.
"And rootkits, but default modify the OS to hide itself, and digs in tight, like an alien face hugger."
True, they can…but for the most part, they don't rewrite kernel files on the disk…so if you can locate them, either through live or post-mortem analysis, you can then disable the persistence mechanism and remove the driver, allowing you to complete any live analysis that you need to.