The important thing to remember is that once you’ve had a rootkit installed on your system, you can never trust anything executable on it again without having some way to independently verify it from outside that system. Anything that cannot be trusted must be thrown away and replaced. The following steps to recovering from a rootkit infection are all based on the assumption that the compromised system can no longer be trusted.

0. Be prepared. Keep good backups, regularly, and make sure any critical non-plain-text data that you can’t afford to just throw away is backed up in a manner that doesn’t require the system you want to protect to have direct access to the backups. Make backups as plain text as much as you can, for reasons that will become clear in the rest of this list.

1. Disconnect the network. Once the system is compromised, it can be used to compromise other systems. You also want to make sure the malicious security cracker who has compromised the system isn’t alerted to the fact that there’s something wrong while he or she still has access to the system. In fact, disconnect the power entirely if there isn’t a specific reason to keep it turned on, and pull the drive to be analyzed from another system if you must.

2. Document everything. Analyze the intrusion. In addition to simply recovering the system and the data on it, you must also try to find out how you got compromised in the first place, what problems there may be with your recovery procedures, and how best to avoid this situation and minimize the damage in case you don’t avoid it in the future.

3. Reinstall your OS. Remember: When you’ve had a rootkit installed on your system, you can’t trust it any longer. Everything has to go. It may be that thanks to a good integrity auditing tool such as Tripwire you can be reasonably sure that some components of your system are still good, but ultimately you’re better off reinstalling the system from scratch or restoring from a known good image.

4. Restore your data, but do it carefully. Even if you have backups from before a time when you detected the rootkit, it’s possible that the compromise just wasn’t detected right away. As much as possible, restore data from plain text, and throw away any non-plain-text data that isn’t of critical importance so you don’t run as much risk of getting reinfected by your data files.

5. Monitor your system closely. The period immediately after restoring your system is a touchy one, where you must take great care to look for signs that you have actually eliminated all signs of compromise and are not the target of an ongoing attack that may quickly crack security again. Watch other systems that may also have been compromised, especially those that may have been compromised from the system you’ve just restored and those that may have been used as a jumping-off point to get to the system you’ve just restored.

http://blogs.techrepublic.com.com/security/?p=267 (original post)

pavs