A rootkit is a collection of tools that a hacker uses to mask intrusion to a computer network and obtain administrator-level access. After the hacker obtains user-level access, he installs the rootkit, either by exploiting a known vulnerability or cracking a password. The rootkit then collects user IDs and passwords to other machines on the network, thus giving the hacker "root" or privileged access.
A rootkit may consist of utilities that also monitor traffic and keystrokes; create a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing systems tools to circumvent detection.
So how are rootkits rooted out? Check out these solutions to a reader's rootkit problem from three Windows security experts.
The user's problem
"I'm the IT administrator at a large non-profit. Because of our shortage of budget and therefore staff, a lot of our regular users need administrator access to get their jobs done. Lately, more and more of them complain of their administrator applications crashing. Some of their management applications no longer work; for example, the antivirus software has been mysteriously disabled on some systems. Some get the blue screen of death when they try to access apps, while others have experienced unexplained restarts and/or weird error messages. The usual spyware/Trojan horse scans haven't turned up anything. What's going on? Are we going to need to rebuild each computer from scratch?"
The experts' remedy
Kurt Dillard: Program manager, Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures Guide: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.
Lawrence Abrams: CTO of a New York City, NY.-based ISP, and owner/creator of BleepingComputer.com, a Web site devoted to teaching basic computer concepts focusing on the removal of malware.
Do you have an idea for a Windows Security Clinic? E-mail us and we'll address it in our upcoming editions.