Problem solve Get help with specific problems with your technologies, process and projects.

Rootkit removal: Windows Security Clinic

As if you didn't have enough to worry about with all the viruses, worms and spyware dilemmas plaguing your Windows environment -- now you have to think about rootkits. In this Windows Security Clinic, our "doctors" diagnose and troubleshoot a user problem that wreaks of a rootkit.

It's the newest IT administrator headache -- rootkits. These pesky programs are a collection of tools that a hacker uses to mask intrusion to a computer network and obtain administrator-level access. After the hacker obtains user-level access, he installs the rootkit, either by exploiting a known vulnerability or cracking a password. The rootkit then collects user IDs and passwords to other machines on the network, thus giving the hacker "root" or privileged access.

A rootkit may consist of utilities that also monitor traffic and keystrokes; create a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing systems tools to circumvent detection.

So how are rootkits removed? Check out these solutions to a reader's rootkit problem from three Windows security experts.

 


The user's problem

"I'm the IT administrator at a large non-profit. Because of our shortage of budget and therefore staff, a lot of our regular users need administrator access to get their jobs done. Lately, more and more of them complain of their administrator applications crashing. Some of their management applications no longer work; for example, the antivirus software has been mysteriously disabled on some systems. Some get the blue screen of death when they try to access apps, while others have experienced unexplained restarts and/or weird error messages. The usual spyware/Trojan horse scans haven't turned up anything. What's going on? Are we going to need to rebuild each computer from scratch?"

Windows Security Clinics

The experts' remedy

Stage one: Diagnosis
Given the information in the scenario, is a rootkit to blame? Click here to find out.

Stage two: Immediate actions
What steps should you take immediately after you discover a rootkit? Click here to find out.

Stage three: Recovery
What should you do to start getting Windows on the road to recovery and normal operation? Click here to find out.

Stage four: Preventative measures
How can you avoid being infected in the future? Click here to find out.

 


  About the experts

Kurt Dillard: Program manager, Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures Guide: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.

Lawrence Abrams: CTO of a New York City, NY.-based ISP, and owner/creator of BleepingComputer.com, a Web site devoted to teaching basic computer concepts focusing on the removal of malware.

Kevin Beaver: CISSP, Principle Logic, LLC, author of Hacking For Dummies, co-author of Hacking Wireless Networks For Dummies and SearchWindowsSecurity.com's Windows Security Threats expert.

 


Do you have an idea for a Windows Security Clinic? E-mail us and we'll address it in our upcoming editions.

 



This was last published in August 2005

Dig Deeper on Network intrusion detection and prevention and malware removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close