BleepingComputer.com: Rootkits - Some Questions

I'm trying to figure out the best security practices for my circumstances - home computers. I understand from my reading on rootkits the only way to check to see if a rootkit has been successfully installed on a system is to do a USB boot and scan from there - with what scanner or scanners?

Apparently, if a rootkit has been successfully installed the only way to remove it for sure is reformat & reinstall. If one needs to reformat and reinstall, what backups can be reinstalled? Are there user file types that need to be scanned before copying back to the clean system? Could my Word macros or PaperPort self extracting or jpg files be compromised? Do rootkits use ADSs? Can any user settings or customizations be safely backed up?

I'm assuming that the rootkits found on routine scanning w/ antivirus software have either not installed themselves, not installed themselves completely or were unsuccessful in removing all evidence of their existence.

So what should one do if a routine scan detects and "fixes" a rootkit?

How do rootkits get on a computer? It just amazes me that these programs can bypass all the "security" on WinXP Prof computers, escalate their privileges somehow and take over. I've read that they can be installed by someone [or a CD] w/ direct access to the computer. Apparently a rootkit can also be downloaded from the internet - does an illicit connection [like w/ netcat] have to be made? Can one be downloaded from a reliable website?

What is the real likelihood that a rootkit will be installed on a home computer and used to provide that person's personal data - bank account, credit card & social security numbers, address, passwords, etc.? Is this a "can happen" per security labs or is this happening to people with home computers?

Any information will be greatly appreciated. This stuff is too hard.

Quote

Quote

~ quietman7 from http://www.bleepingcomputer.com/forums/ind...t&p=1147299

Quote

If any routine scan finds rootkit activity, I would highly recommend a reformat/reinstall. The scans may have knocked out some components of the rootkit, but it may as well still be active.

Quote

They can be picked up just like any other piece of malware. A drive-by download, downloading illegal content, visiting untrustworthy sites, etc. Reliable websites are usually secure, but it is still possible for the site to host malware if it is any kind of site used to host content for download.

Quote

You may never know if the rootkit is actually collecting data that you mention, but you should always treat the infection as if it is sending every keystroke you make to a 3rd party. It can happen to anyone, as a matter of fact, I was infected with a rootkit by the name of "Poison Ivy" about a year ago, and that's when I joined this site.

How Malware Spreads - How did I get infected

If you'd like to learn more about rootkits, here are a few links to some recommended reading:

What is a Rootkit?
r00tkit Analysis
Rootkits: almost invisible malware
Windows Rootkit Overview: User Mode Rootkits/Kernel Mode Rootkits
Rootkits, Part 1 of 3: The Growing Threat
Rootkits, Part 2: A Technical Primer
Rootkits and how to combat them

Windows rootkits in 2005, Part 1 of 3
Windows rootkits of 2005, Part 2 of 3
Windows rootkits of 2005, Part 3 of 3

Thanks for the info. I haven't read all of those links, but adding what I've read so far to what I'd already read I've come to the conclusion that it isn't possible to safely connect a WinXP computer to the internet unless you're very knowledgeable and/or you've got a lot of time to spend working on your computer rather than using it to get work done.

I use automatic updates & Belarc says my security patches are up to date. I have hardware and software firewalls, antivirus and antimalware realtime protection and I update & scan regularly; I have telnet, messenger,etc. services disabled, don't do messaging or p2p, check out software download sites before downloading, use Firefox, plug-ins are up to date, and I read my email using webmail rather than Outlook. My one known security flaw is I'm always in administrator account because I'm always troubleshooting [insert Windows rant] and even w/ "run as" I was always having to log out of my limited account and log in to my administrator acct. and log back out and log back in and that got old fast. But since rootkits can "escalate their privileges" I'm not sure if it matters. The ACLs don't seem to matter much.

Reformatting and reinstalling is a BIG DEAL to me. I also have to redo my back ups to exclude html files and if I am infected I'm thinking I might need to use a USB boot to backup personal data. Could some rootkits put themselves into a backup process?

But first I have to make a boot CD w/ a rootkit scanner and see if my computer is actually compromised and go over to the Am I Infected forum for some help in how to.

I can't afford one, but Macs don't have rootkit problems, do they?