Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkits - Some Questions


  • Please log in to reply
3 replies to this topic

#1 MaryBet82

MaryBet82

  • Members
  • 442 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:43 PM

Posted 29 December 2009 - 05:58 PM

I'm trying to figure out the best security practices for my circumstances - home computers. I understand from my reading on rootkits the only way to check to see if a rootkit has been successfully installed on a system is to do a USB boot and scan from there - with what scanner or scanners?

Apparently, if a rootkit has been successfully installed the only way to remove it for sure is reformat & reinstall. If one needs to reformat and reinstall, what backups can be reinstalled? Are there user file types that need to be scanned before copying back to the clean system? Could my Word macros or PaperPort self extracting or jpg files be compromised? Do rootkits use ADSs? Can any user settings or customizations be safely backed up?

I'm assuming that the rootkits found on routine scanning w/ antivirus software have either not installed themselves, not installed themselves completely or were unsuccessful in removing all evidence of their existence.

So what should one do if a routine scan detects and "fixes" a rootkit?

How do rootkits get on a computer? It just amazes me that these programs can bypass all the "security" on WinXP Prof computers, escalate their privileges somehow and take over. I've read that they can be installed by someone [or a CD] w/ direct access to the computer. Apparently a rootkit can also be downloaded from the internet - does an illicit connection [like w/ netcat] have to be made? Can one be downloaded from a reliable website?

What is the real likelihood that a rootkit will be installed on a home computer and used to provide that person's personal data - bank account, credit card & social security numbers, address, passwords, etc.? Is this a "can happen" per security labs or is this happening to people with home computers?

Any information will be greatly appreciated. This stuff is too hard. :thumbsup:
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening

BC AdBot (Login to Remove)

 


#2 xblindx

xblindx

  • Banned
  • 1,923 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 29 December 2009 - 08:04 PM

Apparently, if a rootkit has been successfully installed the only way to remove it for sure is reformat & reinstall. If one needs to reformat and reinstall, what backups can be reinstalled? Are there user file types that need to be scanned before copying back to the clean system? Could my Word macros or PaperPort self extracting or jpg files be compromised? Do rootkits use ADSs? Can any user settings or customizations be safely backed up?


Reformatting a hard disk deletes all data. If you decide to reformat, you can back up all your important documents, personal data files and photos. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or .html files because they may be infected by malwareware appending itself to the executable. Some types of malware may even disguise itself by adding and hiding its extension to the existing extension of files so be sure you look closely at the full file name. After reformatting, as a precaution, make sure you scan these files with your anti-virus prior to copying them back to your hard drive.

~ quietman7 from http://www.bleepingcomputer.com/forums/ind...t&p=1147299

I'm assuming that the rootkits found on routine scanning w/ antivirus software have either not installed themselves, not installed themselves completely or were unsuccessful in removing all evidence of their existence.

So what should one do if a routine scan detects and "fixes" a rootkit?

If any routine scan finds rootkit activity, I would highly recommend a reformat/reinstall. The scans may have knocked out some components of the rootkit, but it may as well still be active.

How do rootkits get on a computer? It just amazes me that these programs can bypass all the "security" on WinXP Prof computers, escalate their privileges somehow and take over. I've read that they can be installed by someone [or a CD] w/ direct access to the computer. Apparently a rootkit can also be downloaded from the internet - does an illicit connection [like w/ netcat] have to be made? Can one be downloaded from a reliable website?

They can be picked up just like any other piece of malware. A drive-by download, downloading illegal content, visiting untrustworthy sites, etc. Reliable websites are usually secure, but it is still possible for the site to host malware if it is any kind of site used to host content for download.

What is the real likelihood that a rootkit will be installed on a home computer and used to provide that person's personal data - bank account, credit card & social security numbers, address, passwords, etc.? Is this a "can happen" per security labs or is this happening to people with home computers?

You may never know if the rootkit is actually collecting data that you mention, but you should always treat the infection as if it is sending every keystroke you make to a 3rd party. It can happen to anyone, as a matter of fact, I was infected with a rootkit by the name of "Poison Ivy" about a year ago, and that's when I joined this site.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:43 PM

Posted 30 December 2009 - 09:26 AM

How Malware Spreads - How did I get infected

If you'd like to learn more about rootkits, here are a few links to some recommended reading:

What is a Rootkit?
r00tkit Analysis
Rootkits: almost invisible malware
Windows Rootkit Overview: User Mode Rootkits/Kernel Mode Rootkits
Rootkits, Part 1 of 3: The Growing Threat
Rootkits, Part 2: A Technical Primer
Rootkits and how to combat them

Windows rootkits in 2005, Part 1 of 3
Windows rootkits of 2005, Part 2 of 3
Windows rootkits of 2005, Part 3 of 3
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 MaryBet82

MaryBet82
  • Topic Starter

  • Members
  • 442 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:09:43 PM

Posted 01 January 2010 - 06:37 PM

Thanks for the info. I haven't read all of those links, but adding what I've read so far to what I'd already read I've come to the conclusion that it isn't possible to safely connect a WinXP computer to the internet unless you're very knowledgeable and/or you've got a lot of time to spend working on your computer rather than using it to get work done.

I use automatic updates & Belarc says my security patches are up to date. I have hardware and software firewalls, antivirus and antimalware realtime protection and I update & scan regularly; I have telnet, messenger,etc. services disabled, don't do messaging or p2p, check out software download sites before downloading, use Firefox, plug-ins are up to date, and I read my email using webmail rather than Outlook. My one known security flaw is I'm always in administrator account because I'm always troubleshooting [insert Windows rant] and even w/ "run as" I was always having to log out of my limited account and log in to my administrator acct. and log back out and log back in and that got old fast. But since rootkits can "escalate their privileges" I'm not sure if it matters. The ACLs don't seem to matter much.

Reformatting and reinstalling is a BIG DEAL to me. I also have to redo my back ups to exclude html files and if I am infected I'm thinking I might need to use a USB boot to backup personal data. Could some rootkits put themselves into a backup process?

But first I have to make a boot CD w/ a rootkit scanner and see if my computer is actually compromised and go over to the Am I Infected forum for some help in how to.

I can't afford one, but Macs don't have rootkit problems, do they?
mac 10.6 on macbook pro
WinXP sp2 on Dell 380 w/ 512 MB RAM- currently dead in the water
WinXP tab ed sp 3 on Thinkpad X41 w/ 1.5 GB RAM - lemony flavored
Win2K Sp4 on Sony VAIO GXR600 w/ 512 MB RAM - currently blue screening




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users