Topic: EF-ing ROOTKITS (Read 3366 times)

AlchemistiD · « **on:** August 22, 2008, 04:36:22 am »

Recently picked up a rootkit infestation.

Which is kind of like catching a cold. There's no F**************** cure. So after careful analysis and steps to combat the infestation I took the only course left to me, I shot the patient.

Don't you love it when windows refers to something as a "Destructive Rebuild"?

I archived everything to disks in safe mode before putting old yeller down, said disks have been checked with fresh versions of every anti-whatever we own.

I ran zonealarm after, just to put a bullet in the thing's corpse.

Anyone else have trouble with these things?

toasty0 · « **Reply #1 on:** August 22, 2008, 07:10:45 am »

Quote from: AlchemistiD on August 22, 2008, 04:36:22 am

Don't you love it when windows refers to something as a "Destructive Rebuild"?

Dracho · « **Reply #2 on:** August 22, 2008, 04:15:52 pm »

Use a tool utility to back up your registry and critical system files. Unwanted root kit or browser hijack appears, clear it, kill the files and restore clean system files.

Happened to me a couple of weeks ago.. only problem has been with Quicktime for my ITunes app. I installed it after my last backup but I backed up again, and there is some registry hook so deep I can't completely uninstall Quicktime. I keep getting a "A new version of quicktime is installed, installation aborting".

Haven't had time or inclination to go after it again yet, but the rest of the system was fine.

Also, on linux or unix, be sure the pword files are in \etc\shadow so they're encrypted.. and always su to root... and using syskey to encrypt your windows SAM database isn't a bad idea either.

Just plain old Punisher · « **Reply #3 on:** August 22, 2008, 06:28:26 pm »

I run several rootkit scanners every few weeks during safemode to see if anything ever gets installed. It's frustrating, and it leads people to formating their computer and reinstalling every few months.

AlchemistiD · « **Reply #4 on:** August 22, 2008, 10:39:46 pm »

Still reloading everything

Dash Jones · « **Reply #5 on:** August 23, 2008, 05:06:10 am »

Quote from: Punisher BishopOfBacon on August 22, 2008, 06:28:26 pm

I run several rootkit scanners every few weeks during safemode to see if anything ever gets installed. It's frustrating, and it leads people to formating their computer and reinstalling every few months.

And exactly how do you do that with Vista. XP allows a reinstall, but without a ghost, Vista seems to rely on you having something already installed. Do you do a reformat as well?

toasty0 · « **Reply #6 on:** August 23, 2008, 10:24:05 am »

Quote from: Dash Jones on August 23, 2008, 05:06:10 am

Quote from: Punisher BishopOfBacon on August 22, 2008, 06:28:26 pm
I run several rootkit scanners every few weeks during safemode to see if anything ever gets installed. It's frustrating, and it leads people to formating their computer and reinstalling every few months.

And exactly how do you do that with Vista. XP allows a reinstall, but without a ghost, Vista seems to rely on you having something already installed. Do you do a reformat as well?

Are you on a network?

Dash Jones · « **Reply #7 on:** August 23, 2008, 05:55:04 pm »

I suppose, depends on which computer.

toasty0 · « **Reply #8 on:** August 23, 2008, 06:05:43 pm »

Quote from: Dash Jones on August 23, 2008, 05:55:04 pm

I suppose, depends on which computer.

Not sure this will be helpful, but it might: http://technet.microsoft.com/en-us/library/cc721929.aspx

Dash Jones · « **Reply #9 on:** August 23, 2008, 06:40:37 pm »

It doesn't really. That is dependant on not needed to authenticate and not for individual copies from what I see. Hence, useless.

It also depends on only having one computer as master.

It also, is as it seems, basically making a ghost, but in this case a two computer ghosting process. You still need an installation to do it as well, so once infected it's still useless.

If you took precautions prior, and kept it up and somehow kept the stuff from spreading over the network, and had the right version, it is plausible.

but it still would rely on a version that probably didn't need authentication from what it looks like.

Otherwise, it seems you're up a creek with Vista.

toasty0 · « **Reply #10 on:** August 23, 2008, 06:44:26 pm »

Quote from: Dash Jones on August 23, 2008, 06:40:37 pm

It doesn't really. That is dependant on not needed to authenticate and not for individual copies from what I see. Hence, useless.

It also depends on only having one computer as master.

It also, is as it seems, basically making a ghost, but in this case a two computer ghosting process. You still need an installation to do it as well, so once infected it's still useless.

If you took precautions prior, and kept it up and somehow kept the stuff from spreading over the network, and had the right version, it is plausible.

but it still would rely on a version that probably didn't need authentication from what it looks like.

Otherwise, it seems you're up a creek with Vista.

No, it's not "ghosting" or cloning your OS.

Dash Jones · « **Reply #11 on:** August 23, 2008, 06:48:05 pm »

Cloning okay...hadn't heard that before so gotta excuse me on not knowing the actual term.

News: