New Rootkit requirew Windows Reinstall

BokehBokeh Member Posts: 1,636 ■■■■■■■□□□

Comments

  • nhan.ngnhan.ng Member Posts: 184
    tdsskiller > * icon_lol.gif
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    This is like saying if your car is totaled you need to buy a new one. If I'm rooted, I'm reinstalling PERIOD.
  • MattMcNabbMattMcNabb Member Posts: 48 ■■□□□□□□□□
    Always remember to consider each case individually.

    My organization recently had five client machines that were infected by a similar rootkit which was attempting to beacon to an external source. Luckily our intrusion protection detected and blocked this traffic. Removing the infection, however, was not so simple on two of these machines. We are a research organization and these two computers had multiple vendor supported applications that may have taken days or weeks to get reinstalled and cofigured properly. TDSS Killer was the solution for these machines and the security team was able to determine that the beaconing did not recur. The other three computers were simply re-imaged.

    It just goes to show you that there is never a single simple answer.
    “It is the job that is never started that takes longest to finish.”
  • wastedtimewastedtime Member Posts: 586 ■■■■□□□□□□
    I'm with Robert on this one. Unless you are not worried about the information on the computer or passing through the computer and just want the system up and running. Even then it may be a lost cause.

    Just some things to think about:
    Do you know how the systems got infected in the first place? If not you may be reinfecting the system or systems and providing a point of extrusion for the data.
    What if the IPS didn't get it? Would it still have been blocked and or caught? It could have loaded more tools that didn't get caught.
    Do you know everything (everything!) the rootkit did? Same as above, if not something may still be there.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    MattMcNabb wrote: »
    Always remember to consider each case individually.

    My organization recently had five client machines that were infected by a similar rootkit which was attempting to beacon to an external source. Luckily our intrusion protection detected and blocked this traffic. Removing the infection, however, was not so simple on two of these machines. We are a research organization and these two computers had multiple vendor supported applications that may have taken days or weeks to get reinstalled and cofigured properly. TDSS Killer was the solution for these machines and the security team was able to determine that the beaconing did not recur. The other three computers were simply re-imaged.

    It just goes to show you that there is never a single simple answer.

    A rootkit implies modification of the OS's code. How can you clean what you can no longer trust? Sure, the beacon no longer occurs right now. But can you be sure no logic bomb was left that downloads something else on x date as an attempt to repair? If it is in fact a rootkit, I am reimaging the PC. If it is just a trojan or some silly little malware - ok. Clean it. But, IMO, the classic definition of a rootkit requires a reinstall as the code of the OS itself has been fundamentally changed. Better safe than sorry.
  • Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
    Would agree with RK, I'm not an expert in removing malware so I just don't take the time to remove it. You just never fully know it's OK. Just clone it back to the original image and be done with it. Far, far, safer in the long run.
Sign In or Register to comment.