Every day we are seeing machines with more and more insidious spyware and some items are rootkits. We are getting machines handed into our Edinburgh workshop all the time in various states of infection. A rootkit is a program designed to silently take control of a machine and then do whatever the installer wants on that machine.
Today we saw our first rootkit on a Vista box, but this was on a box without patches. So how did we deal with it?
1) Identify the cause – we have a name, type and filename
2) Analyse the symptoms – we know what to expect on the machine
3) Design a solution – after running all the usual removal tools we patch with about 1Gb of patches, 2 Service packs for the operating system and patches for Office, Firefox, iTunes, and lots of other programs.
4) Implement the solution – we get to work as planned, after this we delete all non-essential files and scrub the remaining space. Even at this stage the rootkit may become active again.
5) Evaluate the solution – this is the most important part, can we now trust the machine?
With monitoring in place we can watch for all internet activity on the machine, both incoming and outgoing. Updated antivirus and firewall software is installed and then from another machine all internet passwords need to be changed. If the machine is proved to be clean then we can keep on using it, otherwise it’s time for a reformat – but even then the machine still needs watching.
What is really important in this situation is not to panic and for us as the professionals to have a proper plan.There is no product out there that can prevent this sort of thing happening as long as end users can be tricked into installing unknown software.
With our managed clients we monitor every file change on every system which gives us warning if unexpected things happen. This week there will also be a bumper crop of patches for servers and desktops, so a busy week all round.