What is the best (hopefully free or cheap) way to detect and then, if necessary, remove a rootkit found on your machine?
Thanks. Going to give that thing a try. Just read about these root kit things and, man, its scary stuff.
Optimal Solutions
2008-09-20 04:02:07
No problems. If you haven't seen the SysInternals tools before I can highly recommend them. Autoruns and ProcessExplorer (also by SysInternals) might be useful for your purposes too.
Ash
2008-09-20 04:09:09
I am perusing them now. Nice stuff!
Optimal Solutions
2008-09-20 04:17:01
+2
A:
SysInternals stopped updating RootKit Revealer a couple of years ago.
The only sure way to detect a rootkit is to do an offline compare of installed files and filesystem metadata from a trusted list of known files and their parameters. Obviously, you need to trust the machine you are running the comparison from.
In most situations, using a boot cdrom to run a virus scanner does the trick, for most people.
Otherwise, you can start with a fresh install of whatever, boot it from cdrom, attach an external drive, run a perl script to find and gather parameters (size, md5, sha1), then store the parameters.
To check, run a perl script to find and gather parameters, then compare them to the stored ones.
Also, you'd need a perl script to update your stored parameters after a system update.
--Edit-- Updating this to reflect available techniques. If you get a copy of any bootable rescue cd (such as trinity or rescuecd) with an up-to-date copy of the program "chntpasswd", you'll be able to browse and edit the windows registry offline.
Coupled with a copy of the startup list from castlecops.com, you should be able to track down the most common run points for the most common rootkits. And always keep track of your driver files and what the good versions are too.
With that level of control, your biggest problem will be the mess of spaghetti your registry is left in after you delete the rootkit and trojans. Usually.
-- Edit -- and there are windows tools, too. But I described the tools I'm familiar with, and which are free and better documented.
Chris
2008-09-20 04:31:43
It's safe to say that if the kernel has been compromised, you cannot trust anything. Rootkit Revealer tries to *infer* to presence of a rootkit by looking for differences between what files and registry keys Windows says exist, verses what a manual parsing of internal Windows data structues says exist.But it's not foolproof; false positives **and** false negatives.The only reasonable way to get rid of one is to re-install.
Ian Boyd
2009-06-19 02:40:38
That's not what the question asked, Boyd. The question asked how to detect and remove a rootkit. I described some of the necessary preconditions to do so. Your comment is not relevant to the topic, or even my response.
Chris
2009-06-29 22:11:53
+2
A:
Remember that you can never trust a compromised machine. You may think you found all signs of a rootkit, but the attacker may have created backdoors in other places. Non-standard backdoors that tools you use won't detect. As a rule you should reinstall a compromised machine from scratch.
phjr
2008-09-20 08:38:37
I was thinking that too. If they go in and placed that rootkit then what else have they done. Luckily none found here but are we ever sure?
Optimal Solutions
2008-09-20 20:09:18