 |
 |
The only way to recover from rootkits (Windows) is to reinstall???
|
|
|
|
|
Addicted to MacNN
Join Date: May 2001
Location: Atlanta, GA
Status:
Offline
|
|
|
|
|
- iMac 3.2Ghz 1TB - MacBook Pro 15" Core i7 2.3Ghz / 256SSD (Work laptop)
- PowerMac G5 - Dual 2.0 Ghz, 3GB, Soundsticks!,
- Lenovo Thinkpad T510 (also a work laptop), Win 7 Enterprise, 8GB, 320GB HDD
|
| |
|
|
|
|
|
|
|
Moderator  Join Date: Apr 2001
Location: Up In The Air
Status:
Offline
|
|
True.
Mostly.
From a security standpoint, even if you cleaned up the files/services/processes that were performing the bad act (trojan/zombie/etc.) you would still not be able to be CERTAIN that all your files were clean and secure.
You would have to take an MD5 hash of every file on a clean install and then compare that to the MD5 checksums on the files of your rooted machines. Time consuming and even then, not wholly certain.
Nuking, paving, reinstalling is likely to be faster and more certain to be secure.
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: May 2001
Location: Atlanta, GA
Status:
Offline
|
|
The whole situation makes me never want to touch windows .... unfortunately I make my living on that OS. <sigh>
|
|
- iMac 3.2Ghz 1TB - MacBook Pro 15" Core i7 2.3Ghz / 256SSD (Work laptop)
- PowerMac G5 - Dual 2.0 Ghz, 3GB, Soundsticks!,
- Lenovo Thinkpad T510 (also a work laptop), Win 7 Enterprise, 8GB, 320GB HDD
|
| |
|
|
|
|
|
|
|
Forum Regular
Join Date: Jun 2001
Location: On the move again...
Status:
Offline
|
|
Originally Posted by driven
The whole situation makes me never want to touch windows .... unfortunately I make my living on that OS. <sigh>
If someone got a rootkit on my OS X or Linux box, I'd be doing a reformat and reinstall too. It's the only way to be sure that a root level exploit has been eradicated. The OS is irrelevant - someone gets root level access to your machine, a clean re-install is the only sure way to repair the situation (and yet another reason why data backups are imperitive).
|
|
"No footprints when we're gone. Only where we've been, a faint and fading glow" Bruce Cockburn
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: May 2001
Location: Atlanta, GA
Status:
Offline
|
|
Agreed. It's just MUCH MUCH harder to get a root kit on an OSX or Linux machine. With Windows, well ... just play a Sony music CD. <sigh>
Data backups are quite important. I think OS or system backups are far less useful though. By the time you detect a rootkit it's possible that you've already backed it up or included it in your most recent disk-image.
|
|
- iMac 3.2Ghz 1TB - MacBook Pro 15" Core i7 2.3Ghz / 256SSD (Work laptop)
- PowerMac G5 - Dual 2.0 Ghz, 3GB, Soundsticks!,
- Lenovo Thinkpad T510 (also a work laptop), Win 7 Enterprise, 8GB, 320GB HDD
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: BFE
Status:
Offline
|
|
Originally Posted by driven
Microsoft says that the only way to recover from some malware and rootkits is a total "nuke from orbit" and reinstall.
Is that an Aliens reference?
|
I'm a bird. I am the 1% (of pets).
|
| |
|
|
|
|
|
|
|
Posting Junkie
Join Date: Nov 1999
Location: Cape Cod, MA
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: May 2001
Location: Atlanta, GA
Status:
Offline
|
|
Originally Posted by Eriamjh
Is that an Aliens reference?
I have no idea. I didn't see that movie. I Just quoted the article. That's the exact quote that they used to describe the situation.
|
|
- iMac 3.2Ghz 1TB - MacBook Pro 15" Core i7 2.3Ghz / 256SSD (Work laptop)
- PowerMac G5 - Dual 2.0 Ghz, 3GB, Soundsticks!,
- Lenovo Thinkpad T510 (also a work laptop), Win 7 Enterprise, 8GB, 320GB HDD
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
From a security standpoint, a nuke-and-reinstall from a trusted source really is the best way to go. Rootkits can get very devious when it comes to hiding their presence and disguising themselves. The only way to really be sure that you've got everything back to a good state is to install from a known-good source.
This is true for any operating system, by the way, not just Windows.
(Last edited by Millennium; Apr 26, 2006 at 05:24 AM.
)
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: BFE
Status:
Offline
|
|
Originally Posted by sek929
Game over man, game over
 
|
I'm a bird. I am the 1% (of pets).
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Mar 2000
Location: Garden of Paradise Motel, Suite 3D
Status:
Offline
|
|
Originally Posted by Eriamjh
Is that an Aliens reference?
Mostly
|
|
He can be fixed -- you can't.
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2000
Location: Los Angeles
Status:
Offline
|
|
Does a rootkit automatically mean all files are untrustworthy, or is it only system and executable files?
|
"The natural progress of things is for liberty to yield and government to gain ground." TJ
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally Posted by Big Mac
Does a rootkit automatically mean all files are untrustworthy, or is it only system and executable files?
Theoretically, non-executable files should be safe. However, it's possible to write a rootkit that disguises its files as non-executables. Your best bet is to verify non-executables on a file-by-file basis, but to do that, you need a system you know you can trust. At that point, nuke-and-pave or restoring from a backup becomes much easier (and somewhat less risky) than verifying each file yourself.
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jun 2005
Location: Yamanashi, Japan
Status:
Offline
|
|
Originally Posted by Eriamjh
Is that an Aliens reference?
Hudson: Hey Vasquez, have you ever been mistaken for a man?
Vasquez: No, have you?
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Thanks to Boot Camp, I can't wait to get my first root kit on an Intel Mac
-t
|
|
|
| |
|
|
|
|
|
|
|
Administrator  Join Date: Apr 2001
Location: San Antonio TX USA
Status:
Offline
|
|
Using a decent firewall and a good antivirus package will protect you from being caught with a rootkit; the better AVs point out when something is trying to modify the types of files rootkits infect, even if that particular kit isn't already flagged by the AV's recognition process.
Surf smart and you'll have fewer opportunities to get grabbed by any bad stuff.
|
|
Glenn -----
OTR/L, MOT, Tx
|
| |
|
|
|
|
|
|
|
Baninated
Join Date: Jan 2005
Status:
Offline
|
|
Surf smart... surf S-Mart.
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Is there any merit to only backing up data (like user folder) and not imaging the entire system?
|
|
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Status:
Offline
|
|
Originally Posted by SSharon
Is there any merit to only backing up data (like user folder) and not imaging the entire system?
You can do that, but you need to be careful to back up anything you couldn't otherwise replace from a trusted source.
|
|
You are in Soviet Russia. It is dark. Grue is likely to be eaten by YOU!
|
| |
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: planning a comeback !
Status:
Offline
|
|
Originally Posted by ghporter
Using a decent firewall and a good antivirus package will protect you from being caught with a rootkit
Uhm, Sony root kit ring a bell ? 
-t
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
