This is the primary reason Unix folks remove the computer,  make an image for forensics, and then rebuild from a known good source.  Windows folks have yet to figure this one out.  I take the same philosophy towards malware that Unix admins do..nuke the box…because you can’t trust it’s clean once it’s been compromised.

In one incident, a sports bar in Miami was targeted by attackers who used a custom-designed rootkit that installed itself in the machines kernel, making detection particularly difficult. The rootkit had a simple, streamlined design and was found on a server that handled credit card transactions at the bar. It searched for credit card track data, gathered whatever it found and dumped the data to a hidden folder on the machine. The attacker behind the rootkit took the extra step of changing a character in the track data that DLP software looks for in order to identify credit card data as its leaving a network, making the exfiltration invisible to the security system.

via Persistent, Covert Malware Causing Major Damage | threatpost.

no responses

  1. […] system. Depending on the nature of the rootkit the machine is most likely not cleanable at all. Windows Security Issues Causing Increasingly Diffulcult Malware Removals | Emmanuel Technology Consu… This is Why You Don’t Clean Infected Machines – A Lesson For Windows Admins | Emmanuel […]