News Stay informed about the latest enterprise technology news and product updates.

Rooting out a rootkit

As if you didn't have enough to worry about with all the viruses, worms and spyware dilemmas plaguing your Windows environment -- now you have to think about rootkits. In this Windows Security learning center, learn everything you need to know about rootkits with our various articles, tips, and guides.

A rootkit is a collection of tools that a hacker uses to mask intrusion to a computer network and obtain administrator-level access. After the hacker obtains user-level access, he installs the rootkit, either by exploiting a known vulnerability or cracking a password. The rootkit then collects user IDs and passwords to other machines on the network, thus giving the hacker "root" or privileged access.

A rootkit may consist of utilities that also monitor traffic and keystrokes; create a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing systems tools to circumvent detection.

So how are rootkits rooted out? Check out these solutions to a reader's rootkit problem from three Windows security experts.

The user's problem

"I'm the IT administrator at a large non-profit. Because of our shortage of budget and therefore staff, a lot of our regular users need administrator access to get their jobs done. Lately, more and more of them complain of their administrator applications crashing. Some of their management applications no longer work; for example, the antivirus software has been mysteriously disabled on some systems. Some get the blue screen of death when they try to access apps, while others have experienced unexplained restarts and/or weird error messages. The usual spyware/Trojan horse scans haven't turned up anything. What's going on? Are we going to need to rebuild each computer from scratch?"

The experts' remedy

Stage one: Diagnosis
Given the information in the scenario, is a rootkit to blame? Click here to find out.

Stage two: Immediate actions
What steps should you take immediately after you discover a rootkit? Click here to find out.

Stage three: Recovery
What should you do to start getting Windows on the road to recovery and normal operation? Click here to find out.

Stage four: Preventative measures
How can you avoid being infected in the future? Click here to find out.

About the experts

Kurt Dillard: Program manager, Microsoft Solutions for Security. He has collaborated on many solutions published by this team, including "Windows Server 2003 Security Guide" and "Threats and Countermeasures Guide: Security Settings in Windows Server 2003 and Windows XP". He has also co-authored two books on computer software and operating systems.

Lawrence Abrams: CTO of a New York City, NY.-based ISP, and owner/creator of, a Web site devoted to teaching basic computer concepts focusing on the removal of malware.

Kevin Beaver: CISSP, Principle Logic, LLC, author of Hacking For Dummies, co-author of Hacking Wireless Networks For Dummies and's Windows Security Threats expert.

Do you have an idea for a Windows Security Clinic? E-mail us and we'll address it in our upcoming editions.

Dig Deeper on Windows legacy operating systems

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.