Rootkits: Managing the threat with prevention measures

Here are a couple of steps to mitigate the surreptitious threat that rootkits pose:

• More on rootkit education Expert advice collection: Rootkit education Comparing rootkit detection tools

  Use a rootkit detection tool. There are a number of these on the market. Sysinternals, mainly in response to the Sony DRM rootkit fiasco, developed a freeware tool called RootkitRevealer. Not all rootkits can be detected using software such as this, but it's a good first step to clean up the obvious problems.
• Take a "diff" of your system. This one is for the more difficult infestations. For Windows users, Locate32 is a tool that creates a database of the names of all of the files on your hard drive. Although the primary purpose of this tool is to serve as a poor man's desktop search, it can track differences in files from one database snapshot to another. That turns out to be a very handy way to detect significant changes in your system directory, for example -- a telltale sign of a rootkit installation.

As the old adage goes, an ounce of prevention is worth a pound of cure. These preventative measures will help ensure rootkits never make it onto your systems:

• Use some special Windows Registry tweaks. One such modification, for instance, is to create a limited set of permissions for the HKLM\SYSTEMCurrentControlSet\Services keys so that only authorized installer services can make entries there.
• Buy best-of-breed commercial antivirus software. Newer versions of common AV solutions are beginning to include heuristic rootkit detection technology, which coupled with the distributed management capabilities of these business solutions will protect a lot of corporate desktops that are not currently shielded.
• Consider a different browser platform. This is common advice, but it bears repeating here. Internet Explorer 6 has had a vast number of vulnerabilities and security holes since its release in 2001 with Windows XP. Rootkits often find IE a ripe vector for infiltrating systems and bypassing other defense mechanisms. Using Mozilla Firefox or another alternative browser is a relatively simple way to close a lot of significant doors into your Windows system.
• Deploy firewalls both at the perimeter and internally. The common wisdom used to be that only perimeters needed firewalls -- your internal machines were trustworthy since they were located in a controlled environment. However, one machine with a rootkit installed strips that control away. Use a software-based firewall on your internal systems to seriously hinder the ability of rootkits to spread internally.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network intrusion detection and prevention and malware removal Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies Windows Resource Protection (WRP) protects critical system resources How to secure BitLocker configurations Windows desktop security tips Structuring patch management in seven steps Underlying causes of inconsistent patch management Monitoring user activity with network analyzers Microsoft's Patch Tuesday brings a bumper crop of security fixes Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance Top 5 registry keys for Windows XP Secure Windows XP before a Windows 7 upgrade Nine common password oversights to avoid RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.