Browse By Category

Free Power Tools Brochure
Get Mark Minasi's
17-page guide today!

First Name *

Last Name *

Email Address *

* I agree to this site's
terms of use & privacy statement.

Get Newsletters

Get the Latest News
Product Updates
Helpful Tricks
Productivity Tips

Subscribe Now!

May 15, 2006 10:15 PM

Defending Against Rootkits

Rating:

(0)

Randy Franklin Smith

Windows IT Pro

InstantDoc ID #50066

Main Article: Access Denied, June 2006

We've been hearing a lot about rootkits lately. What's the best defense against them, and what's the best detector?

The old adage "an ounce of protection is worth a pound of cure" is incredibly apropos when it comes to rootkits. Rootkit writers and rootkit detection writers are engaged in an arms race. As soon as someone writes a better rootkit detector, someone else updates a rootkit so that it's even better camouflaged.

To look for evidence of one or more rootkits, detectors make requests to the OS for information such as file system listings, current processes, and active DLLs. Rootkits are designed to intercept those requests and " sanitize" the information (i.e., remove any evidence of themselves) from the OS before returning the information to the requesting application. Right now, both parties are locked into reactive mode because they both need to know what the other is looking for. A rootkit can successfully hide only if it knows what questions the detector is asking. A detector can find a rootkit only if it knows what questions to ask the OS that won't be intercepted by the rootkit.

The fancy technology in rootkits is all in how they hide themselves once installed. Bad guys use the same methods to deploy rootkits as other malware, including buffer overflows and tricking users to run arbitrary code under their context. If users are an administrator of their computer, a rootkit will install itself effortlessly unless the antivirus software running locally is monitoring the infection vector and has been updated with the rootkit's signature.

Because rootkits use the same methods for deployment as other malware, you can use the same preventive techniques to guard against rootkits. In fact, if you and your users are already following these practices, you already have good protection against rootkits:

Keep systems patched.
Cover all the infection vectors (e.g., email attachments, Web downloads, removable media) with antivirus technologies and keep the signatures up to date.
Refrain from engaging in dangerous activities—including reading email, browsing the Web, and using document programs such as Microsoft Office and Adobe Acrobat—when logged on as an administrator.
Don't read email, browse the Web, or work with documents while logged on at servers interactively or through Windows Terminal Services.
Disable unneeded features and services; don't install unneeded applications.

ARTICLE TOOLS

Want to use this article? Click here for options!

Add a Comment

>> Right now, both parties are locked into reactive mode because they both need to know what the other is looking for. <<

That's not entirely true, RootkitRevealer (free from sysinternals.com) reads the MFT and registry hives at the device level, parses their respective structures internally, then examines the system using file system and registry API to look for anomalies indicative of data hiding or similar deception.

In other words, it doesn't much care what any given rootkit plans to intercept; instead it relies on internally derived expectations of how the system should look.

-Mark

Mark5/27/2006 1:17:29 PM

You must log on before posting a comment.

Are you a new visitor? Register Here

Related Resources

8 Things to Consider Before Sinking Money into Endpoint Security
A Tip Guide by Symantec

Business Process Automation - Managing Cost in Your Enterprise
A EBook by Network Automation

How to Select the Right Search Solution for Your Business
A Podcast by BA-Insight

The Essential Guide to 64-Bit Server
A Essential Guide by AMD

windows 7 profile removal

Does anyone know of a script that will delete all domain profiles or all if easier upon reboot? With XP I used to do this with Delprof. I know there i...222-96223

Change Domain admin password

school volunteer needs help!

VB Script to enable user account

GOOGLE LINKS

Podcasts

To successfully implement virtual desktops, IT administrators must carefully match user requirements to specific desktop technologies. Listen to this podcast to learn what you need to keep in mind when formulating your approach to desktop virtualization.

Downloads

PacketTrap IT is a comprehensive and affordable network management and application monitoring solution that solves problems associated with bandwidth, network and application performance, and connectivity. Gain insight into your network - try PacketTrapIT free for 21 days!

Web Seminars

Aside from its employees, data is an organization’s most important resource. Join Windows technical specialist and 11-time MVP John Savill to learn the best practices for managing data using features in Windows Server.
View this web seminar on demand!

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Windows IT Pro, we're in IT with you