On my personal desktop, I haven't been following best practice. I have an outdated AV product that hasn't updated its virus patterns in years. I consider myself a pretty savvy user of technology and, rather than burden my desktop with resource-eating AV programs and real-time spyware tools, I run the occasional scan and avoid attachments and sites that appear to be suspect. This has served me well for quite some time.
Earlier this week, I'm virtually positive that I got some kind of rootkit infection on my personal desktop. I clicked a link on a web page and my browser acted strange. I saw the word 'updating' and I think the browser shut down. For minutes thereafter, my hard drive began to churn. After a few minutes of horror, I disconnected the network port.
Since then, my evenings have been a blur of Google searches and attempts to run various removal tools. Having an IT background, these sorts of issues become a consuming challenge and I'm not quick to admit defeat with the wealth of tools available. Some of these tools ran to completion, finding nothing or next-to-nothing. Other tools didn't run to completion. How do I know something's up? Aside from the hard drive and browser behavior at the moment, I've found suspect entries in my Event Viewer that correspond to the proper date/time. Warnings from Windows Defender, a couple of 'services' with long registry key alphanumeric patterns starting, a login by the HelpAssistant account (which I've learned is related to Remote Assistance). Let's face it... SOMETHING is on this machine.
Ah, but what to do? School district support staff would have a new image installed after very minimal troubleshooting. In fact, the wikipedia entry on rootkits spells out this recommendation in very clear terms:
Direct removal of a rootkit may be impractical. Even if the type and nature of the rootkit are known, the required time and effort by a system administrator with the necessary skills or experience may exceed the required time to re-install the operating system.
Well, that's where I am. I've told myself for the past three evenings that I have the "necessary skills and experience" to beat this. At this point, I'm low on sleep and I suppose I'll swallow hard, back up important data and reformat.
I suppose a few good things may have come of this. A few notes and recommendations:
* This is why end users in school districts should save important data to a network share. It would be completely impractical for a technician to spend the number of hours I've spent on a problem like this.
* Even if I had 'solved' the problem, how safe would I feel? A rootkit, by design, hides itself. At any moment, my machine could be compromised. Was a keystroke logger installed? Did it capture critical users/passwords? How do I know it's completely gone? Again, the only certain solution at this point is a fresh installation.
* Have a backup of your critical data. I have a dated copy and, thankfully in this case, my machine can still function well enough to make a copy of critical data.
* There are tools like the Windows Ultimate Boot CD and BartPE that can be used to create a CD with a bootable OS. I'm sure there are Linux tools available as well. In my journeys, I've learned that one way to attempt to find these rootkits are via an external OS. Smart ones can hide from these as well, but these resources are good nonetheless.
* Even though they have provided limited help to me in this case, there are many good tools available to help detect viruses, spyware and (I'm told) some rootkits. Sophos has a tool for rootkits. McAfee's Stinger tool is also worth a shot.
My home machine is a mess, but maybe someone else can benefit from my tale of woe. **sigh**
No comments:
Post a Comment