Learn how to detect and remove rootkits in Windows systems with this collection of tips, written by Microsoft's Kurt Dillard. Read one of the several tips below, or return to the main page for the complete list.
How can I detect and remove rootkits from Windows?
Detection and removal is still frustrating. Aside from a few established rootkit detection tools, including VICE, Patchfinder2 and klister, many tools were written by the same people who created rootkits. I don't know about you, but I have a hard time entrusting malware authors to clean up compromised computers.
However, several things happened in February to shine the spotlight on rootkits and prompt the creation of new detection tools. Beyond Fear author Bruce Schneier's rootkit mention in his blog and a presentation Mike Danseglio and I gave on Windows rootkits at the RSA Conference received a surprisingly extensive amount of press. Since then, security vendors Sysinternals and F-Secure Corp. have released standalone tools for their existing security suites to deal with rootkits. Microsoft has also added rootkit detection and removal to its Microsoft Malicious Software Removal tool, which it updates monthly.
Unfortunately, each time an existing tool is updated or a new tool is released, many rootkit authors update their malware to avoid detection. This results in an ongoing cat and mouse game that leaves systems administrators and computer users victimized.
All of this may sound terribly depressing, but there are effective measures you can implement to minimize the risk of being afflicted by rootkits or spyware. You should already be taking the following steps to secure your organization against this type of malware:
- Maintain up-to-date antivirus and antispyware software.
- Deploy network and host-based firewalls.
- Stay current on patches for operating systems and applications.
- Harden the operating system.
- Use strong authentication.
- Never use software from sources you don't trust.
We will explore a defense-in-depth approach to protecting your computers and networks in a later article in this series. In the meantime, check out Strider, a Microsoft research project for maintaining system integrity.
About the author: Kurt Dillard is a program manager with Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.
Return to the main page for the full list of tips.