Ask HN: How would you defeat a bootkit?
If your main machine, your money-making linux computer, were infected with a very sophisticated rootkit and/or bootkit, how would you go about ridding your device of it?
If your main machine, your money-making linux computer, were infected with a very sophisticated rootkit and/or bootkit, how would you go about ridding your device of it?
If your main machine, your money-making linux computer, were infected with a very sophisticated rootkit and/or bootkit, how would you go about ridding your device of it?
Boot off Thumb or iPXE and flash the BIOS after confirming with the vendor in writing this is how they would do it for this particular bootkit. If this is not sufficient replace the BIOS chip. If that is not an option write off the server and accept the losses and lessons learned. Implement better security. File lawsuits against the vendor if the server came with the bootkit.
Using a Linux boot DVD that has never been near my network, I'd nuke the machine entirely. Then I'd set it up offline with an application-level firewall to block outgoing communication, and a limited account to block write access as much as possible across the system. I would also rebuild any other computers on your network in the same way. Before anything got back onto my network I would rebuild the router and stuff too.
Do you trust the bios or UEFI enough to reinstall via unwritable media, you downloaded independently? Was it a Locked boot state? Does it have a locked reinstall image?
Checksums are your friend. If you had a checksum over the post install bios state you can verify reinstalling.
If not, remove the hard drive/ssd media and reconstruct elsewhere.