Responding to Rootkit Question found on Linked IN

Just to start off, I'm going to mention that last week's picnic event with Simplex IT was a great turnout. Everyone was enthusiastic and the food was great. There appeared to be some new visitors in the crowd as well who have been seen around other events ranging from the Simplex-It Lunchinars, NEO IT Think Tank, Greater PC User's Group, Sam's WPF and C#/.NET groups, ISSA Northeast Ohio Chapter, Computers Helping Inspire People PC Refurbishment Program, and finally the Security 503 course sponsored by SANS organization.

Today's topic is going to answer a specific question that I have seen posted on Linked IN. For some reason, it would not post the answer that I was going to provide so I will explain it here. The question this person asked is if a user gets a rootkit virus that is unable to be removed by a program that detects rootkits and is designed to remove them fails to get all of the malicious files off of there, then what would be the next step? My next suggestion is to have the hard drive wiped with a special wiping drive utility that may even have Department of Defense standards for wiping the drives. Reformatting the hard drive with the current operating system like Microsoft may not be enough. The reason it may not be enough is because let's say this same person accidentally deleted some mandatory files from their system in the future and someone happened to find a file recovery utility program, some of these programs are powerful enough to restore files from several reformat of this drive for example: "Recover My Files".

From what I understand about rootkits, they are more difficult to detect because they like to hide in multiple areas on the operating system and go undetected by regular AV scanners that primarily scan for malicious file signatures of other virus type programs like Trojans, Malware, Worms, etc. What's imperative in the Microsoft environment is to get the systems with the latest up to date critical patches and keep virus signatures up to date for all other virus types. Programs that are designed to run on Windows Operating Systems have to set configuration parameters within the Windows Registry in order to run properly on the platform whether they are good or malicious programs.

Some I have heard say that they love the MAC operating system instead because they claim it is virus free. Well I hate to say this but that's not 100 percent true for they do have at least a handful list of MAC viruses. There are just not as many because most are written for the Microsoft environment. There are vulnerabilities in different Operating Systems. They may not get nearly as many reports as Microsoft because they are not the primary target systems. Hackers are looking for Operating Systems that have the most vulnerabilities in them in order to gain something from them. A majority of the reason is to get personal data off of multiple systems at once and there are some that just play.

Also, for those accessing the internet, someone within a Special Interest Group on home networking had given us an online utility program called "Shields Up" which is located on www.grc.com which is an online probing security tool which scans the ports on your home firewall to see if there are any vulnerabilities that you should be aware of. Software firewalls such as Zone Alarm and Trend Micro do have pretty strong security controls that can be turned on or off to at least provide some protection on your internet setting but always remember to keep your guard up when it comes to protecting your systems at home. Some ISP's often provide decent port blocking tools to help better secure your network. Most of these intruders like to get in through Microsoft's Internet Browser which often uses a reserved port that is always open.

Another tool to check if something is going on is the Event Viewer in Microsoft Operating Systems. Now I admit that the logs can be a little mysterious, however, going out to google and researching what these event logs are trying to tell you often helps. Sometimes just knowing the time and date that the log was created with a few general messages tells me that something or someone was trying to manipulate something with the system. Often I will ask around and for the most part do get an honest answer about them trying to change some settings on that day that just didn't work out the way they wanted them to. Of course you might not always get an honest answer but for the most part, when investigating logs, there is more evidence there to find out if something is not going right with the system. There are several services that maybe turned on by default that you may wish to turn off to deter an outsider from trying to connect to the user's machine.

Always keep in mind though to take precautions to protect your systems. Now within a Corporate Environment, a majority have some type of scanning tool that monitors the network for malicious activity. When something changes and it appears to be affecting let's say 20 systems in a row for that day, then it's best to investigate what it is that is causing the problem, if it's virus or malware related then find out exactly what the malicious activity is and where it is coming from prior to attempting to wipe and re image 25-30 hard drives that were affected by this problem. This also depends on how network monitoring is used. Some places take a more pro active approach than others. If one just re-formats the hard drive alone, don't be surprised if some malicious files resurrect from a powerful file recovery tool program later on. A wipe drive program will take the time to overwrite the hard drive between 4 to 5 times and then perform a check to make sure that all of the data is gone. For data that one wants to see again, be sure to backup data frequently to an external drive of some sort before things start to get bad.

So in summary, the answer to this person's question all depends on the situation. If it's in the Corporate Environment with multiple misbehaving systems then the first step is to investigate the environment. If it's just something on the home front where the user's system is not a Corporate owned laptop then wipe drive with something like Wipe Drive Pro and reload operating system.