In a nutshell, rootkits are nasty programs that can load on boot or temporarily live in memory and run in user mode (aka ring 3 for you processor gurus) and kernel mode (aka protected mode or ring 0).
Rootkits became pervasive in the Unix world, but the technology and its threat are slowly and surely bleeding into the Windows environment. They manipulate Windows by taking over the operating system -- even inside a virtual machine -- with the goal of hiding malware and controlling any or all aspects of the system.
Rootkits are relatively easy to install on victim hosts. To upload a rootkit, a determined attacker can do everything from exploit a Windows vulnerability to crack a password or even obtain physical system access. They can even con users into running an executable file in an email attachment or via a hyperlink distributed via email or instant messaging. Once they're in place, as you're likely to find out, rootkits aren't so easy to find or get rid of.
The rootkit threat is not as widespread as viruses and spyware. Given this fact, and the lack of a truly effective rootkit prevention solution, handling rootkits is largely a reactive process.
Here are various techniques and tools for finding rootkits and removing them from your systems if you suspect an infection:
Finding and removing a rootkit
Step 1: Is there a problem
Step 2: Choose the right scanning tool
Step 3: Clean up the mess
Step 4: Bulletproof your efforts
|ABOUT THE AUTHOR:|
|Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including Hacking For Dummies, Hacking Wireless Networks For Dummies, Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com. Copyright 2006 TechTarget|
This was first published in December 2006