Kurt Dillard: Unfortunately, "nuke the site into orbit" is the most robust way to recover. Once an attacker has compromised your system, you can never be certain that you found and removed every change made.
If you don't have a recent backup, follow these steps.
- 1. Mount the hard disks from the affected system into another computer that is known to be clean.
2. Back up the data from the clean system.
3. Wipe and reload the operating system from known good media on the affected system.
4. Secure it as best you can by taking the steps outlined in the preventative measures stage.
5. Restore the data onto the rebuilt machine.
6. Thoroughly scan all of the restored data using the latest antivirus and antispyware software.
7. Do not try to save any executable files. The best course is to deliberately delete any executable binaries, scripts, ActiveX controls and so on.
Lawrence Abrams: Recovery from rootkits is a tricky situation. If the rootkit was installed by way of generic non-targeted malware, then cleaning the offending program off your computer should be more than enough to recover your computer.
On the other hand, if you are dealing with a rootkit like Hacker Defender, HE4Hook, Vanquish, or FU, then a hacker deliberately installed these rootkits on the targeted computers. With that in mind, you have absolutely no idea what else they may have installed or modified on your computer.,It could be that the hacker changed security settings via the registry, replaced critical files with hacked versions or compromised the computer/network in other ways. In those situations, I always recommend backing up the data and reinstalling the operating system. And before you copy the data back onto the fresh reinstalled computer, scan the data for infections.
If reinstalling the computer is not an option, you can attempt to use rootkit detection programs such as Blacklight, RootkitRevealer and Flister (to name a few) to find the files that are part of the rootkit. Since these files most likely will not be visible outside of the rootkit programs, you would have to clean them using a bootable Linux distribution such as KNOPPIX, a boot disk, or via a network share (not recommended).
Ultimately, if you have the resources to reinstall the computer, that would be your best choice.
Kevin Beaver: If you don't detect any rootkits, but the behavior continues, your best and safest option is to reformat and reinstall the system. Just make sure you back up any data files before doing so. This should be safe since most current malware (especially rootkits) don't infect binary or text-based data files. Instead they affect executable or supporting library files used by the OS or applications. If you're able to clean the system (highly unlikely if a rootkit is discovered), then you'll need to re-scan it often and monitor it for additional suspicious behavior. Again, do this using the tools I mentioned in the diagnosis phase.
Stage four: Preventative measures
About the experts: Expert bios are available on the scenario page.
This was first published in August 2005