Manage Learn to apply best practices and optimize your operations.

Rootkits: Managing the threat with prevention measures

Certainly rootkit detection tools are great to have, but taking some preventative measures -- like keeping a snapshot of your file system -- can go a long way toward mitigating the threat of rootkits. Contributor Jonathan Hassell recommends some other simple preventative measures in this week's malware tip.

Rootkits are becoming an increasingly dangerous problem to your network. Rootkits and other such malware are becoming even more sophisticated as time wears on. Today's malware can cloak itself from detection by AV and anti-rootkit software with a high degree of effectiveness, and some malware even has the ability to regenerate itself after a partial deletion (likely the result of an incomplete cleanup). As malware becomes heartier, your arsenal against it must also become stronger and more effective.

Here are a couple of steps to mitigate the surreptitious threat that rootkits pose:

  • More on rootkit education

    Expert advice collection: Rootkit education

    Comparing rootkit detection tools

    Use a rootkit detection tool. There are a number of these on the market. Sysinternals, mainly in response to the Sony DRM rootkit fiasco, developed a freeware tool called RootkitRevealer. Not all rootkits can be detected using software such as this, but it's a good first step to clean up the obvious problems.
  • Take a "diff" of your system. This one is for the more difficult infestations. For Windows users, Locate32 is a tool that creates a database of the names of all of the files on your hard drive. Although the primary purpose of this tool is to serve as a poor man's desktop search, it can track differences in files from one database snapshot to another. That turns out to be a very handy way to detect significant changes in your system directory, for example -- a telltale sign of a rootkit installation.

As the old adage goes, an ounce of prevention is worth a pound of cure. These preventative measures will help ensure rootkits never make it onto your systems:

  • Use some special Windows Registry tweaks. One such modification, for instance, is to create a limited set of permissions for the HKLM\SYSTEMCurrentControlSet\Services keys so that only authorized installer services can make entries there.
  • Buy best-of-breed commercial antivirus software. Newer versions of common AV solutions are beginning to include heuristic rootkit detection technology, which coupled with the distributed management capabilities of these business solutions will protect a lot of corporate desktops that are not currently shielded.
  • Consider a different browser platform. This is common advice, but it bears repeating here. Internet Explorer 6 has had a vast number of vulnerabilities and security holes since its release in 2001 with Windows XP. Rootkits often find IE a ripe vector for infiltrating systems and bypassing other defense mechanisms. Using Mozilla Firefox or another alternative browser is a relatively simple way to close a lot of significant doors into your Windows system.
  • Deploy firewalls both at the perimeter and internally. The common wisdom used to be that only perimeters needed firewalls -- your internal machines were trustworthy since they were located in a controlled environment. However, one machine with a rootkit installed strips that control away. Use a software-based firewall on your internal systems to seriously hinder the ability of rootkits to spread internally.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Dig Deeper on Windows applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.