Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

May 15, 2006 12:00 AM

Defending Against Rootkits

Randy Franklin Smith
Windows IT Pro
InstantDoc ID #50066
Rating: (1)

We've been hearing a lot about rootkits lately. What's the best defense against them, and what's the best detector?

The old adage "an ounce of protection is worth a pound of cure" is incredibly apropos when it comes to rootkits. Rootkit writers and rootkit detection writers are engaged in an arms race. As soon as someone writes a better rootkit detector, someone else updates a rootkit so that it's even better camouflaged.

To look for evidence of one or more rootkits, detectors make requests to the OS for information such as file system listings, current processes, and active DLLs. Rootkits are designed to intercept those requests and " sanitize" the information (i.e., remove any evidence of themselves) from the OS before returning the information to the requesting application. Right now, both parties are locked into reactive mode because they both need to know what the other is looking for. A rootkit can successfully hide only if it knows what questions the detector is asking. A detector can find a rootkit only if it knows what questions to ask the OS that won't be intercepted by the rootkit.

The fancy technology in rootkits is all in how they hide themselves once installed. Bad guys use the same methods to deploy rootkits as other malware, including buffer overflows and tricking users to run arbitrary code under their context. If users are an administrator of their computer, a rootkit will install itself effortlessly unless the antivirus software running locally is monitoring the infection vector and has been updated with the rootkit's signature.

Because rootkits use the same methods for deployment as other malware, you can use the same preventive techniques to guard against rootkits. In fact, if you and your users are already following these practices, you already have good protection against rootkits:

  • Keep systems patched.
  • Cover all the infection vectors (e.g., email attachments, Web downloads, removable media) with antivirus technologies and keep the signatures up to date.
  • Refrain from engaging in dangerous activities—including reading email, browsing the Web, and using document programs such as Microsoft Office and Adobe Acrobat—when logged on as an administrator.
  • Don't read email, browse the Web, or work with documents while logged on at servers interactively or through Windows Terminal Services.
  • Disable unneeded features and services; don't install unneeded applications.

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • Mark
    6 years ago
    May 27, 2006

    >> Right now, both parties are locked into reactive mode because they both need to know what the other is looking for. <<

    That's not entirely true, RootkitRevealer (free from sysinternals.com) reads the MFT and registry hives at the device level, parses their respective structures internally, then examines the system using file system and registry API to look for anomalies indicative of data hiding or similar deception.

    In other words, it doesn't much care what any given rootkit plans to intercept; instead it relies on internally derived expectations of how the system should look.

    -Mark

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.