Do you have a Rootkit virus?

What is a Rootkit virus? Do you know if you have one? How would you check? Having recently been bitten by one of these nasty bugs, I thought I would write an article about what they are and how to root them out.

Most virus and malware scanning software work from within the operating system – that is, they require an operating system to be loaded before they can protect the system. Some even require a connection to the internet before they even start to work. If so, these protections are too late to load because a Rootkit virus are already loaded into memory before them.

About 10% of viruses in the wild are Rootkit viruses. This may not seem like much, but it’s still a risk. What is more disconcerting is that they are typically undetected because they can preempt any security software.

Why Rootkit viruses are hard to detect

As soon as you see that Windows or Apple logo on your screen, a Rootkit virus could be hiding underneath the operating system and doing damage. It could be collecting keystrokes, making its own (hidden) connections to the internet, providing access to other viruses, and suppressing your own virus scanner long before it even has a chance to start.

Once that happens, anything you do on that computer can be compromised – everything from your passwords to your online banking to your treasured family pictures. For small businesses, using a compromised computer exposes the business to liability, and depending how you’ve created the business, could actually impact your own financial security as well. This is all bad news for small businesses.

The problem is that you need an operating system to even use your virus scanner, so how do you protect against this? That is why you need to occasionally scan for viruses before your operating system loads. This is done with a rescue disk, and these usually run Linux because it is freely usable and distributable. Companies that make these disks will typically also use Linux because it cannot so easily be compromised by viruses.

No virus defense plan is 100%, but a regular and consistent approach to security will help reduce the risk considerably. Fortunately, Linux is a big part of that approach.

The Linux-based rescue disk

Many virus prevention companies agree with the use of Linux as a sensible option. They also believe that preventing virus infections is an important part of their mission. While their business models rely on selling their security software, they tend to offer the most basic tools for free with the hope that customers will then purchase the complete software package with all the features. This is a solid business model that has worked well for them and fortunately for us, most of them still offer a free tool for detecting and removing viruses that hide under the operating system.

They do this by offering a free boot disk on their company websites. Typically, you download the file to your computer, insert a writable DVD disk in your disk drive, and write the file to it. The disk will be bootable with a custom version of Linux that will give you access to the computer using your keyboard and mouse so that you can do a thorough scan without loading the operating system that usually loads. Here are the three that I have used and can heartily recommend:

ESET SysRescue Live

Kaspersky Rescue Disk

Comodo Rescue Disk

The links above have instructions for creating the disk and running scans. You will need a CD/DVD writer to create the disk, but it is fairly simple to do. Aside from the ones above, there are many other rescue disk options available. If you don’t like the ones above, here are some more.

I’ve used the three mentioned above and I have removed hundreds of viruses with them. When I do detect a viruses, I will use all three disks interchangeably – It is important to be thorough with viruses. Not all scanners work the same way. This has to do with the fact that viruses come in groups and work together. Removing one can open up the way to others so that one virus may have allowed others to install after it.

Using the Rescue Disk

This is well explained in the instructions on the above websites, but I’ll give a quick overview. The disks come as a downloadable ISO file, which your computer will recognize as a file to be written to a CD or DVD disk. So after you download it, double-click on it and follow the prompts on your computer to create the rescue disk.

When this is done, write on the disk what it is (useful if you have a several of these). I have a binder at home where I put all my useful rescue and recovery disks – think of this as your defense arsenal. It’s always good to have one.

Insert the disk into the infected computer’s CD/DVD-ROM drive and restart the computer. Just as I wrote in my previous article about using the Linux install disk, you will need to make sure your computer is set to start from the CD/DVD-ROM drive. This is done when the computer first starts up. If you need a refresher, here is a link to a quick how-to video.

When you start the computer from one of the scanner disks we created, it will start up into its own operating system, one of the versions of Linux I noted above. You will then be prompted to start a scan. Because the entire computer was started from the rescue disk, any viruses that reside on the hard drive, even those buried underneath the operating system of your computer, will not have a chance to load. This prevents them from doing any damage, and most importantly from avoiding detection. The rescue disk can now scan for, locate, and remove the virus.

Once the scanning and cleanup is done, follow the prompts, remove the disk, and restart your computer as normal. You have successfully removed the Rootkit virus.

Some Additional Recommendations

Protecting computers against viruses is more than the software used to scan for them. It is also about building good habits and taking proper action when an infection is suspected. Again, there are hundreds of websites that offer good strategies. Here are some that I recommend:

1. Don’t create a rescue disk on a computer that is potentially infected, you might just infect the rescue disk and then any other computer you scan with it

2. No virus scanner is 100% effective all the time, so doing regular consistent scans is the most effective approach to minimize the risk

3. Scanning takes time, especially on slower computers, so make a cup of coffee and get comfortable

4. Viruses work together, so after scanning several times with rescue disks, also do a scan with your regular virus scanner installed inside the operating system, you detect others

5. A computer that has had an infection, is more likely to have more later, so stay vigilant with your scanning

Conclusion

Rootkits are just 1/10th of the viruses in the wild, but as mentioned above, viruses typically don’t arrive on their own. They usually arrive in batches, one virus supporting the other. This is why it is recommended that after you find a virus using your standard virus scanner, that you run the scanner again to make sure that it detected and removed everything. So if you have had a virus that your scanner detected, your likelihood of having other infections is greater.

Another issue is that viruses don’t always activate right away. Sometimes they stay dormant until a later date. They could hide as an ordinary file for a while and only start doing damage after a particular threshold, date or time is reached. Viruses are crated to evade detection so laying dormant on a hard drive is an easy way to stay hidden.

Even with the above rescue disk technique, there is still the possibility that the Rootkit, once embedded in the system is still there. This is why regular and consistent scans are necessary and will help reduce the risk.

Finally, it is my professional recommendation to wipe out computer hard drives once every 3-4 years. Just start over with a fresh hard drive, newly installed software, and updated drivers/patches/fixes. This is the best possible way to reduce the risk of viruses over time, especially if like me, you manage many systems.