I plan on doing a complete reinstall of the OS on my XP machine. While I’m fairly confident that there is no malware on it, you can never be 100% percent sure, especially concerning “rootkits”.
So, my question is: Can rootkits survive a reinstall of the OS?
No. Reinstalling the OS wipes everything from the hard drive.
A while back I picked up a nasty rootkitted bug from a link in a dope thread. I was able, after lots of work, to recover without reinstalling. Learned a lot about viruses and rootkits.
There are several products that do pretty well at detecting root kits. Rootkitreveal from microsoft sysinternals does pretty well. It is free, and microsoft has some nice tutorial videos on thier site.
The OP doesn’t have a rootkit, as far as he knows. He is going to reinstall XP and wants to be sure that, if there is anything bad on the machine, it will be wiped out.
Root kits will be destroyed when the partition is formatted.
Thanks, that’s exactly what I wanted to know.
I know that a rootkit is somehow hidden in the boot sector (or something like that), but I wasn’t sure if a reformat would wipe it out.
If you just format a particular partition, that doesn’t wipe out the Master Boot Record. The partitions are located after the MBR.
I typically run a separate utility to write zeros to the MBR – then I do a format.
This is wrong and is a reason why rootkits are so dangerous. Their could be one embedded in your BIOS. And you may not even know it. Doing a clean install won’t even remove it. Why do you think the US military and government refuses to use chips (american designs) that are even manufactured over seas. China has just upped their chip manufacturing because this very reason. If you are real parnoid flash your BIOS. Even that is not a sure thing. The only way to be sure is to build the machine yourself from the ground up and even then…
Would flashing your BIOS (for these purposes) entail taking out the battery for a short bit? Er, not taking out the battery to flash, but taking it out to clear everything out of memory.
Depends how old your computer is, it used to be an involved process with taking out the battery taking out a jumper inserting a startup floppy and doing it that way. Nowadays you can general upgrade your BIOS through a standard windows installer. The thing with rootkits that get into the BIOS is unlike ones that hide in windows they are very less common as their are so many different types of Chipsets you cant just make a rootkit to work on them all as you can in Windows. Their are rootkit scanners, AVG I believe still offers theirs for free.
BTW if you have never upgraded your BIOS its a good idea to do it anyways as it can add more functionality to your machine. People often update their drivers but the BIOS is usually one that gets forgot about.
It’s not necessarily any place special (at least in the sense of the boot sector, MBR, or BIOS); it can live in your filesystem like all the other files and directories (in fact, it is my understanding that that is the case for at least most rootkits).
What is special is that it works very deep down in the system circumventing all protections, and it hides itself from detection by mucking with the routines that are used to list files, processes, registry keys etc. If you can’t see it, it’s d–n hard to do anything with it.
Software flashable BIOS (without the floppy method) is fairly new in the grand scheme of things. The big threat for BIOS infections however was an issue with an exploit to Lojack for laptops. As you mentioned, writing a BIOS virus is difficult because there are so many different chipsets and the possibility of spreading with any speed is VERY VERY low.
A BIOS can be infected, but it is highly unlikely to the point of silly to worry about it. I have only seen one virus infected BIOS and that was something a programmer friend of mine did just to see if he could do it.
AVG’s rootkit component does not check the BIOS.
I would be more concerned that the average user would be more likely to end up borking their motherboard than seeing any real performance benefit.
Use SystemRescueCD or Universal Boot CD to clear the disk by booting off CD (this ensures that your system is not compromised). You may be able to reflash the BIOS with UBCD. Delete the partitions and MBR, then repartition. Finally boot off the XP disk and reinstall.
Si
Heh … that’s the reason I rarely flash the BIOS. It’s probably irrational, born on the days of putting x386 machines together and being very careful not to let anything go wrong during the process, but flashing BIOS scares the crap out of me. Oh sure, I’ll flash firmware left and right for the other equipment, but BIOS? I’ll update when I’m putting a box together but if nothing’s broken, I’m not fixing it for additional features.
But tell me I’m being silly and should just use EZFlash and not worry about it.
This is not true. Quite apart from the issue of master boot record and (much rarer) BIOS viruses brought up by other posters, I should point out that reinstalling an OS does not necessarily wipe the hard drive. For one thing, it is possible to install an operating system without reformatting. For another, even if you do reformat the OS partition, there may be other partitions on your hard drive where a virus may lurk.
If you’ve genuinely gotten a rootkit, it could hide code in the boot sector that would re-direct the format program you’re using, so you might think you’re formatting the disk, but you’re actually running a different program that leaves the malicious code intact. I don’t think there’s anything that insidious in the wild, but it’s at least theoretically possible.
Malware can hibernate in many places in a computer until the OS has been reinstalled and then re-infect the new install. Network interfaces, graphics cards, whatever device has writable memory can be used. There was even talk about malware using a small writable portion that exists on most modern CPUs to hold CPU information.
Luckily most malware is not that clever.
A windows XP install disk has all the utilities to do this exept for BIOS flash.
Flashing the BIOS should only be done with a utility from the motherboard manufacturer.
I have had XP setup fail to handle partition table modifications correctly - if the disk is blank beforehand, it works fine, but it can be pretty casual (ie wrong) about deleting and recreating partition tables correctly (in one case getting the partition ordering so wrong that a backup/flatten/repartition/restore was the only option). Also, it generally assumes that the MBR is ok instead of rewriting it, leading to some confusion. So I recommend using another tool to do this.
Actually, I think people are giving malware authors too much credit - some of this stuff (hiding in the bios/flash of peripherals/mbr redirection) is theoretically possible but highly specific to the hardware. Most malware authors are primarily interested in hiding the malware from antivirus/casual inspection. To this end, the malware uses rootkit techniques to mask its own activities once the system has started, rather than the extreme owning of the computer suggested.
Si