nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

New Rootkit requirew Windows Reinstall

Bokeh

Rootkit infection requires Windows reinstall, says Microsoft - Computerworld

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

nhan.ng

tdsskiller > *

RobertKaucher

This is like saying if your car is totaled you need to buy a new one. If I'm rooted, I'm reinstalling PERIOD.

MattMcNabb

Always remember to consider each case individually.

My organization recently had five client machines that were infected by a similar rootkit which was attempting to beacon to an external source. Luckily our intrusion protection detected and blocked this traffic. Removing the infection, however, was not so simple on two of these machines. We are a research organization and these two computers had multiple vendor supported applications that may have taken days or weeks to get reinstalled and cofigured properly. TDSS Killer was the solution for these machines and the security team was able to determine that the beaconing did not recur. The other three computers were simply re-imaged.

It just goes to show you that there is never a single simple answer.

wastedtime

I'm with Robert on this one. Unless you are not worried about the information on the computer or passing through the computer and just want the system up and running. Even then it may be a lost cause.

Just some things to think about:
Do you know how the systems got infected in the first place? If not you may be reinfecting the system or systems and providing a point of extrusion for the data.
What if the IPS didn't get it? Would it still have been blocked and or caught? It could have loaded more tools that didn't get caught.
Do you know everything (everything!) the rootkit did? Same as above, if not something may still be there.

RobertKaucher

MattMcNabb wrote: »

Always remember to consider each case individually.

My organization recently had five client machines that were infected by a similar rootkit which was attempting to beacon to an external source. Luckily our intrusion protection detected and blocked this traffic. Removing the infection, however, was not so simple on two of these machines. We are a research organization and these two computers had multiple vendor supported applications that may have taken days or weeks to get reinstalled and cofigured properly. TDSS Killer was the solution for these machines and the security team was able to determine that the beaconing did not recur. The other three computers were simply re-imaged.

It just goes to show you that there is never a single simple answer.

A rootkit implies modification of the OS's code. How can you clean what you can no longer trust? Sure, the beacon no longer occurs right now. But can you be sure no logic bomb was left that downloads something else on x date as an attempt to repair? If it is in fact a rootkit, I am reimaging the PC. If it is just a trojan or some silly little malware - ok. Clean it. But, IMO, the classic definition of a rootkit requires a reinstall as the code of the OS itself has been fundamentally changed. Better safe than sorry.

Asif Dasl

Would agree with RK, I'm not an expert in removing malware so I just don't take the time to remove it. You just never fully know it's OK. Just clone it back to the original image and be done with it. Far, far, safer in the long run.