Step-by-Step Guide: Finding and removing a rootkit

Feature

Step-by-Step Guide: Finding and removing a rootkit

In a nutshell, rootkits are nasty programs that can load on boot or temporarily live in memory and run in user mode (aka ring 3 for you processor gurus) and kernel mode (aka protected mode or ring 0).

Rootkits became pervasive in the Unix world, but the technology and its threat are slowly and surely bleeding into the Windows environment. They manipulate Windows by taking over the operating system -- even inside a virtual machine -- with the goal of hiding malware and controlling any or all aspects of the system.

Rootkits are relatively easy to install on victim hosts. To upload a rootkit, a determined attacker can do everything from exploit a Windows vulnerability to crack a password or even obtain physical system access. They can even con users into running an executable file in an email attachment or via a hyperlink distributed via email or instant messaging. Once they're in place, as you're likely to find out, rootkits aren't so easy to find or get rid of.

The rootkit threat is not as widespread as viruses and spyware. Given this fact, and the lack of a truly effective rootkit prevention solution, handling rootkits is largely a reactive process.

Here are various techniques and tools for finding rootkits and removing them from your systems if you suspect an infection:


Finding and removing a rootkit

 Home: Introduction
 Step 1: Is there a problem
 Step 2: Choose the right scanning tool
 Step 3: Clean up the mess
 Step 4: Bulletproof your efforts
ABOUT THE AUTHOR:
Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including Hacking For Dummies, Hacking Wireless Networks For Dummies, Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com. Copyright 2006 TechTarget

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in December 2006

 

COMMENTS powered by Disqus  //  Commenting policy