• Barbarian@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    8 months ago

    It’s not easy, but it’s really not worth the massive gaping security vulnerability you are giving your users. One disgruntled employee giving out the keys to the castle or one programmer plugging in an infected USB, and every user now has a persistent malicious rootkit. The only way to fix an issue that deep after it gets exploited is to literally throw away your hard drive.

    • JimboDHimbo@lemmy.ca
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      8 months ago

      The only way to fix an issue that deep after it gets exploited is to literally throw away your hard drive.

      This can’t be right.

      Don’t throw your hard drive in the trash. Quarantine the infected computer, and then wipe that hoe and slap your choice of OS back on it and scan/monitor to see if any issues arise.

      Edit: since folks may or may not read though the rest of the conversation: I am wrong, throw that SSD/HDD in the garbage like barbarian said.

      • Barbarian@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        14
        ·
        edit-2
        8 months ago

        I’m sorry to disappoint, but with rootkits, that is very real. With that level of permissions, it can rewrite HDD/SSD drivers to install malware on boot.

        There’s even malware that can rewrite BIOS/UEFI, in which case the whole motherboard has to go in the bin. That’s much less likely due to the complexity though, but it does exist.

        • JimboDHimbo@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          ·
          8 months ago

          not all rootkits are made to do that. So yes in some cases, throw it in the trash. In others, remediate your machine and move on.

          • Barbarian@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            10
            ·
            8 months ago

            Outside of monitoring individual packets outside of your computer (as in, man in the middle yourself with a spare computer and hoping the malware phones home right when you’re looking) there’s no way of knowing.

            Once ring 0 is compromised, nothing your computer says can be trusted. A compromised OS can lie to anti-malware scanners, hide things from the installed software list and process manager, and just generally not show you what it doesnt want to show you. “Just remediate” does not work with rootkits.

            • JimboDHimbo@lemmy.ca
              link
              fedilink
              English
              arrow-up
              7
              ·
              8 months ago

              Dude… That’s fucked. They should really go a little more in depth on rootkits in the CompTIA A+ study material. I mean, I get that it’s supposed to be a foundational over view of most IT concepts, but it would have helped me not look dumb.

              • Barbarian@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                7
                ·
                edit-2
                8 months ago

                Please don’t walk away from this feeling dumb. Most IT professionals aren’t aware of the scale of the issue outside of sysadmin and cybersecurity. I’ve met programmers who shrug at the most egregious vulnerabilities, and vendors who want us to put dangerous stuff on our servers. Security just isn’t taken as seriously as it should be.

                Unrelated, but I wish you the best of luck with your studies!

                • JimboDHimbo@lemmy.ca
                  link
                  fedilink
                  English
                  arrow-up
                  3
                  ·
                  edit-2
                  8 months ago

                  Good morning! If anything this was a great example of not being able to know everything when it comes to IT and especially cybersecurity. Thank you for your well wishes! I earned my A+ last month and I’m currently working on a Google cybersec certificate, since it’ll give me 30% off on the sec+ exam price. I really appreciate your insight on rootkits and it’s definitely going in my notes!

                  • Barbarian@sh.itjust.works
                    link
                    fedilink
                    English
                    arrow-up
                    4
                    ·
                    edit-2
                    8 months ago

                    Glad to hear it!

                    Just as another thing to add to your notes, in ordinary circumstances, it’s practically impossible for non-government actors to get rootkits on modern machines with the latest security patches (EDIT: I’m talking remotely. Physical access is a whole other thing). To work your way up from ring 3 (untrusted programs) all the way to ring 0 (kernel), you’d need to chain together multiple zero day vulnerabilities which take incredibly talented cybersec researchers years to discover, keep hidden and then exploit. And all that is basically one-use, because those vulnerabilities will be patched afterwards.

                    This is why anti-cheat rootkits are so dangerous. If you can exploit the anti-cheat software, you can skip all that incredibly difficult work and go straight to ring 0.

                    EDIT: Oh, and as an added note, generally speaking if you have physical access to the machine, you own the machine. There is no defence possible against somebody physically being able to plug a USB stick in and boot from whatever OS they want and bypass any defences they want.