Check IT List: Five steps for rootkit detection

Rootkit technologies are rapidly cropping up in a variety of places, including commercial security products and seemingly benign, third-party application extensions. Whatis.com defines rootkit technology as "a collection of tools or programs that enable administrator-level access to a computer or computer network. A hacker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network."

Sony and Symantec have recently been reported to be engaged in questionable practices involving rootkits. Both companies have reportedly had rootkit-based functionality in certain products. This technique uses a simple approach to disguise activity and filesystem information from the Windows API, thus preventing direct observation of the application's behavior. It also causes the operating system to misreport systemwide activity.

Finding and eradicating potential rootkit installations is not an exact science.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows desktop security tips How Windows 7 stands up to security tests Securing sensitive data on Windows-based laptops Gathering and documenting your Windows desktop security policies Windows desktop security standards documentation best practices Desktop security preparation for a new wave of Windows apps Four Internet Explorer 8 group policy security settings The state of enterprise security and emerging threats in 2009 Why should Windows shops use Microsoft Baseline Security Analyzer? A first look at Windows 7 security enhancements Using Sysinternals tools in security management scenarios Intrusion detection, prevention and removal Windows security tools for the busy desktop administrator Top Windows client security tools for end users Tools for virus removal and detection Buffer overflows can be prevented by GS cookies Determining the proper Microsoft malware removal tool October patches fix four threats Cool things about security, nothing about Britney Spears Run third-party malware detection tools in Windows Malware prevention and detection webcast series Rootkit and malware detection and removal guide

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Rootkits can be installed on a computer in many ways. No single tool (and no combination of tools) can correctly identify all rootkits and rootkit-like behavior. The following Check IT list provides pointers and references to purpose-built tools that are useful for examining application behavior and determining if further investigation is necessary.

Note: If you do discover a rootkit (or rootkit-like software) on your machine, unless there's a targeted removal tool (as is the case for the Sony DRM software), the only way to remove a rootkit from an infected machine is to wipe the drive and reinstall everything. If that proves necessary, be sure to back up all files and settings or try to roll back to an earlier backup, drive image or restore point.

Ed Tittel is a full-time freelance writer and trainer based in Austin, Texas, who specializes in markup languages, information security, and IT certifications. Justin Korelc is a longtime Linux hacker who concentrates on hardware and software security topics. Ed and Justin contributed to a recent book on Home Theater PCs and "Tom's Hardware 2005 Holiday Buyer's Guide."