Absolutely you're right the best way to handle a rootkit is restore from a known-good backup. Just like you practiced, last month when you tested it when found and fixed the problem with backup system.
Unfortunately, 90% of people don't have a proper backup system. Probably over half of systems that are being "backed up" can't actually be restored because the backup media went bad a year ago or whatever.
For the people who don't have a solid backup:
> some IT professional who sells himself to a client by cl
One technique for data sterilization is to convert to a different format. For example, converting a Word document to WordPerfect will make sure there are no macros, I believe. Then convert back. Even better, convert to plain text if possible, and leave it as plain text. JPG to bump, etc.
Sorry, but Perl and Python code is programs. You don't trust them from an infected system. Text files you can usually trust, and html that doesn't use javascript or some such. (Not just javascript. You've also got to be careful about allowing CSS, with simple formatting being safe, but anything else needing to be carefully hand checked.) For spreadsheets you should recover from CSV files, but the CSV files can be stored on the disk that got infected. Etc.
But just running code in a virtual machine does
Veni, Vidi, VISA:
I came, I saw, I did a little shopping.
Re: (Score:3)
Data yes, OS and programs, no (Score:2)
Absolutely you're right the best way to handle a rootkit is restore from a known-good backup. Just like you practiced, last month when you tested it when found and fixed the problem with backup system.
Unfortunately, 90% of people don't have a proper backup system. Probably over half of systems that are being "backed up" can't actually be restored because the backup media went bad a year ago or whatever.
For the people who don't have a solid backup:
> some IT professional who sells himself to a client by cl
Comment removed (Score:1)
Format conversion for sterilization. Word - WPS (Score:2)
One technique for data sterilization is to convert to a different format. For example, converting a Word document to WordPerfect will make sure there are no macros, I believe. Then convert back. Even better, convert to plain text if possible, and leave it as plain text. JPG to bump, etc.
Re: (Score:2)
Sorry, but Perl and Python code is programs. You don't trust them from an infected system. Text files you can usually trust, and html that doesn't use javascript or some such. (Not just javascript. You've also got to be careful about allowing CSS, with simple formatting being safe, but anything else needing to be carefully hand checked.) For spreadsheets you should recover from CSV files, but the CSV files can be stored on the disk that got infected. Etc.
But just running code in a virtual machine does