Anonymous hookups?
http://xkcd.com/364/

In WWII, we learned important lessons... and unfortunately, we also learned the wrong lessons.
Many countries - instead of learning to fight evil, they learned that fighting is evil. That kind of pacifism is lethal to a country. Fighting evil is a noble cause and must be done.

With respect, shouldn't that be the first step?

The first step of moving on, yes. I would agree - but due to many factors it is not practical for many users.

We're like Doctors in many respects - we can make all the recommendations we want, but the patient is going to do whatever they are going to do.

And referring to trustworthy backups - when the remote management software has been in place for x number of months, and it has been backed up, restoring the machine while doing virus scans profits you nothing if you are not looking for 'rogue' management tools.

I'm not talking about hackers that run botnets - yes, they use rootkits. Never at any point have I stated that rootkits are obsolete or no longer used. What I am saying, and what I have said quite clearly, is that some criminals that want to obtain and maintain access to a corporate network are using remote network admin software. So, be on the lookout for it. That is all.

I'm working on that right now - I'm on the SBA Information Security Task Force - determining what really are the best practices out there. It's an all but impossible task.

No, I have not flown out to respond for many years now. I do travel in state and neighboring states quite a bit, but for the most part there are enough good people in each market with sufficient capabilities.

Midnight_Falcon - did you not notice that I put the word (old) AFTER Dameware NT? It is less common now, but did the issue just go away? No, they have updated their software.

The point I wish to make, and have done, is that many hackers do not leave rootkits behind. They simply set themselves up as rogue network administrators within your network.

I am quite familiar with "enumerating badness".
This is only done as part of a clean-up effort.
If management tools are running where they should not be, I want to know about it.
"Enumerating badness" is precisely what is required when you are hunting down an intrusion. It is not the best policy to take when defending one.

The overarching lesson I've learned in all these years is that a secure network is a well managed network. If you do not actively manage your network - there are plenty of criminals that would be happy to manage it for you.

Like Kevin Mandia, I too clean up these messes professionally. Cleaning these things up starts with the data gathering and analysis, virus scans, offline analysis - and more that are not mentioned.

The MOST important thing that ANY admin should know is that the true professional hackers do not use rootkits. They will use exploits to gain their foothold, but rather than install a rootkit, they will install remote network admin utilities, such as Dameware NT utilities (old), or more recently I've seen LabTech Software.

From www.labtechsoftware.com
IT Systems Management Software providing a leading remote monitoring and management (RMM) solution for Managed Service Providers (MSP) and IT...

This software is great for Managed Service Providers - it also is a dream come true for cyber-criminals as it provides a backdoor into networks using signed code that will not appear on any antivirus, anti-malware or anti-rootkit scan. It can sit dormant for years, get backed up, and restored. Even if you do run anti-virus scans on your backups prior to restoring them - as one commenter stated above - it would be of no use.

So, when I am gathering the data dump, what I do is look for ALL network management tools, and I have created scripts that search for these.
        *****
        Google this: C:\WINDOWS\LTSVC\LTSVC.exe Hijackthis
        You will find examples of people who have run Hijackthis on their computer and posted the log online - the common complaint is that they keep getting reinfected and cannot figure out how. They've run {insert virus tools here} a number of times and cannot figure it out. They usually resort to reinstalling the OS.
        *****
Anyhow - gathering up all the logs from every device on the network, linking how they went from machine-to-machine, enumerating lists of installed software on each machine, and also performing offline analysis of drives, searching for any file/directory modifications based upon time stamp. It is FAR more involved, but it is the only way to enumerate the intrusion.

Removal must be done all at once. Either cut the network access of all the devices, then remove, or write a custom removal script and schedule it as a task to have everything be done at precisely the same moment.

I then have custom IDS signatures that look for any unauthorized Remote Management & Monitoring software.

You'll never hear the real reason why in the main-stream media, because they support the Occupy Wall Street, but there is a very clear reason why the Feds stepped in and shut this down.

What you may not have heard about is that on Friday, there was an assassination attempt on Obama. Haven't heard about it? Well, someone shot an AK-47 at the white house, and he's been at large until today, when they finally caught him and now the story is coming to light. Apparently, this guy went to the White House straight from the OWS encampment.