Rootkit questions - suspect compromised box
I have reason to suspect my box has been compromised by a rootkit. I recently cleaned my drive and installed Ubuntu Studio. In the process I pulled some packages from restricted repos. Today, when I started this session, Ubuntu flashed a message saying Firestarter was being turned off. After GNOME loaded, I tried to load Firestarter from the menu and was prompted for my password. Firestarter never asks me for my password unless I'm making changes. There were other signs too, but I've been focused on a hardware problem since install, and errantly assumed the other smptoms were being triggered by that (or by a poorly QA'ed update). I started getting that sinking feeling as I did a mental calculation of every password, online transaction, email, etc. that's been executed from my rig in the last week.
I've done a preliminary search for info on rootkit detection, removal, and prophylaxis. It's not encouraging. Much of the information I've googled is dated and contradictory. So I ask:
- Is writing zeroes to the drive the only foolproof way to clean it? If not, what is the best option short of this?
- What is the best way to protect my rig from a rootkit in the future?
- Is there a detection package or method that will reliably detect a rootkit?
- Is there a reliable package or method to detect a rootkit before it's installed and active? Like if it were embedded in a package from a non-supported repo, or from any downloadable or tranferable source?
I re-read Fingal's sticky on security and am reviewing my entire approach to securing my system. Any accurate information, as pertains to rootkits, would be welcomed. In the meantime I'll be contacting my bank and changing passwords from a (hopefully) secure rig. Thanks.