Tip

Rootkits: Managing the threat with prevention measures

Rootkits are becoming an increasingly dangerous problem to your network. Rootkits and other such malware are becoming even more sophisticated as time wears on. Today's malware can cloak itself from detection by AV and anti-rootkit software with a high degree of effectiveness, and some malware even has the ability to regenerate itself after a partial deletion (likely the result of an incomplete cleanup). As malware becomes heartier, your arsenal against it must also become stronger and more effective.

Here are a couple of steps to mitigate the surreptitious threat that rootkits pose:

  • More on rootkit education

    Expert advice collection: Rootkit education

    Comparing rootkit detection tools

    Use a rootkit detection tool. There are a number of these on the market. Sysinternals, mainly in response to the Sony DRM rootkit fiasco, developed a freeware tool called RootkitRevealer. Not all rootkits can be detected using software such as this, but it's a good first step to clean up the obvious problems.
  • Take a "diff" of your system. This one is for the more difficult infestations. For Windows users, Locate32 is a tool that creates a database of the names of all of the files on your hard drive. Although the primary purpose of this tool is to serve as a poor man's desktop search, it can track differences in files from one database snapshot to another. That turns out to be a very handy way to detect significant changes in your system directory, for example -- a telltale sign of a rootkit installation.

As the old adage goes, an ounce of prevention is worth a pound of cure. These preventative measures will help ensure rootkits never make it onto your systems:

  • Use some special Windows Registry tweaks. One such modification, for instance, is to create a limited set of permissions for the HKLM\SYSTEMCurrentControlSet\Services keys so that only authorized installer services can make entries there.
  • Buy best-of-breed commercial antivirus software. Newer versions of common AV solutions are beginning to include heuristic rootkit detection technology, which coupled with the distributed management capabilities of these business solutions will protect a lot of corporate desktops that are not currently shielded.
  • Consider a different browser platform. This is common advice, but it bears repeating here. Internet Explorer 6 has had a vast number of vulnerabilities and security holes since its release in 2001 with Windows XP. Rootkits often find IE a ripe vector for infiltrating systems and bypassing other defense mechanisms. Using Mozilla Firefox or another alternative browser is a relatively simple way to close a lot of significant doors into your Windows system.
  • Deploy firewalls both at the perimeter and internally. The common wisdom used to be that only perimeters needed firewalls -- your internal machines were trustworthy since they were located in a controlled environment. However, one machine with a rootkit installed strips that control away. Use a software-based firewall on your internal systems to seriously hinder the ability of rootkits to spread internally.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

This was first published in August 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.