Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Getting Rid of Rootkits and Backdoor Trojans


  • Please log in to reply
8 replies to this topic

#1 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 14 July 2009 - 09:19 PM

Hi Everyone,

I cannot figure out for sure where to ask this question but this section seemed like the best place. I apologize if it is not and ask for it to please be moved to where it is appropriate. I hope it is ok that I am asking this.

I have noticed that there seems to be differences in how rootkits and backdoor trojans are dealt with and I am just trying to understand why. I am not talking about different programs for getting rid of them as I understand why different ones are used. However, I am confused as to why in some cases it is stated that once those types of infections are on a system the system cannot be deemed truly clean and trustworthy without reformatting the drive (even after the rootkits and backdoor trojans seem to be gone) and in other cases they are deemed good to go without reformatting.

Would anyone be willing to take the time to clear this up for me?

Thank you very much for any assistance you can give me in understanding this.

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:37 PM

Posted 14 July 2009 - 10:14 PM

Hi Stang,

The point you're bringing up is a very good one, and one that I've given some thought to myself in recent days.

As I understand it, the truth of the matter is, once any malware with backdoor functionality has been present (and active) on a system, we cannot know for sure that the system can be 100% trusted. The reason for this is that a backdoor grants complete access to the system to an outside source (usually a malicious user). With this level of access the system can be altered in some way to further compromise its security and ensure that an entry point remains even if the original backdoor is found and removed. Realistically, we cannot be certain that every alteration to a compromised system can be detected and repaired successfully.

I am confused as to why in some cases it is stated that once those types of infections are on a system the system cannot be deemed truly clean and trustworthy without reformatting the drive (even after the rootkits and backdoor trojans seem to be gone) and in other cases they are deemed good to go without reformatting.


I think the major factor here is simply who is helping the victim. Some (myself included) give a backdoor warning whenever malware with backdoor functionality is determined to be present. Others only give the warning when the system is heavily infected and a backdoor has been detected. My personal belief is that the victim should be made completely aware of their possible situation, so that they can make an informed decision on how to proceed. My posting a backdoor warning is not necessarily a recommendation to reformat, but a "heads up" to the victim.


You may have already done this, but the backdoor warning used by several helpers includes some links you might like to read. They are provided below.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Any staff please feel free to correct any inaccuracies in my information.

~Blade

Edited by Blade Zephon, 14 July 2009 - 10:17 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 14 July 2009 - 11:39 PM

Thank you for the post Stang777
and thank you for the reply Blade Zephon.
as this post has cleared up one of my many questions in dealing with different logs.

D_N_M

#4 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 15 July 2009 - 01:18 AM

Blade, thank you so very much for your reply. I really appreciate you taking the time to explain things to me. Thanks again. :thumbsup:

D_N_M, you are very welcome :flowers:

#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:37 PM

Posted 15 July 2009 - 04:35 AM

It's my pleasure. :thumbsup:

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 17 July 2009 - 09:56 PM

Very well said Blade Zephon. :thumbsup:

Just adding a bit on. Getting late here, so I'll make it short and not go into too much of other things.

I think the major factor here is simply who is helping the victim. Some (myself included) give a backdoor warning whenever malware with backdoor functionality is determined to be present. Others only give the warning when the system is heavily infected and a backdoor has been detected. My personal belief is that the victim should be made completely aware of their possible situation, so that they can make an informed decision on how to proceed. My posting a backdoor warning is not necessarily a recommendation to reformat, but a "heads up" to the victim.

Doesn't matter if it's a rootkit (rootkits have backdoor functionality and campability) or any infection that has a backdoor involved should warn the member ASAP. The member doesn't necessairly have to format but they should be warned about the nature of this infection and should act accordingly. These include changing passwords etc... in the speech we provide for them. Simply put: Any infection that has backdoor or password stealing we as a helper should warn the user of the current infection they have or are dealing with.

If my system were infected with some sort of backdoor related or trojan information stealing related infection, I would definitely format the computer. When I post the backdoor warning, I recommend members to format their machine to make sure they are 100% clean. If they do not wish to do so, I will be happy to continue helping them however, this helps them know the infection they have and are not all frightened when they realize what infection they have. Some members will prefer to actual do a format to make sure they are clean and stable.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 17 July 2009 - 10:06 PM

Thank you Extremeboy,

I appreciate you taking the time to reply.

I agree that the person with it should always be warned. Like you, if I had that type of infection, I would definitely format the computer.

I always warn them not to do any online banking and such, and to contact their bank if they have, but I forgot the part about changing passwords, thanks for reminding me.

Unless the name of the infection has the word rootkit, tdss, or backdoor in it, I am not sure if the infection has backdoor functionality. I will often google the infection to find out, wish I knew an easier way.

Do all infections that have that functionality say backdoor, rootkit, or tdss?

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:37 PM

Posted 18 July 2009 - 10:22 AM

Do all infections that have that functionality say backdoor, rootkit, or tdss?

Some worm infections also have backdoor campabilities. Doesn't necessairly have to be a backdoor specfically or rootkit to have this campability.

I will often google the infection to find out, wish I knew an easier way.

As you get use to some of the infections you automatically know it has backdoor campabilities. There are several different infections out there in the wild and it's almost impossible to know everyone and that is when google helps out. Usually Anti-Virus companies vendors and other sites will have some sort of write-up on the infection. Reading it will let you know how the infection works and if there is any backdoor campability. Google is probably the easiest and fastest way to do it. :thumbsup:

Do all infections that have that functionality say backdoor, rootkit, or tdss?

Backdoor infection is broad term to use. Similar to "Malware". TDSSserv is a rootkit variant. Therefore the TDSSserv variants will fall under the rootkit category. Rootkits also have backdoor functionality so it can fall under the backdoor category as well. Other specific infections can also fall under the backdoor category if they have any backdoor campability. In general any backdoor infection these can be Trojans, worms etc... we should warn the user.

Hope that answers your question. If it doesn't please let me know and I will clarify on any points that may not have been worded very well.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 Stang777

Stang777

    Just Hoping To Help

  • Topic Starter

  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:37 PM

Posted 20 July 2009 - 06:46 PM

Thank you Extremeboy, that info helps a lot :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users