Tip

Rootkit removal and detection with Windows encryption

This tip is part of a series of articles on Windows security strategies. Make sure to check back each week for new Windows "how-to" advice.

TABLE OF CONTENTS

Requires Free Membership to View

Windows password security: Systems tools and policy
Securing Windows services to prevent hacker attacks
How to prevent SQL Server and Internet Explorer hack attacks
How to detect and remove rootkits with Windows encryption     
Windows security: Remote Desktop, hosts file and keyboard lock down

Rootkits, derived from the most powerful of Unix system accounts known as 'root', have become a widespread concern for Windows users.

Some rootkits have been installed without obvious malice, such as the infamous Sony BMG copy-prevention incident, which installed rootkits from certain music CDs a couple years ago. These rootkits inadvertently opened up security holes for Windows users that could have been exploited by worms and viruses. Most rootkits are plainly malicious, however, and shouldn't be anywhere near Windows computers.

Rootkit removal and detection
OK, so let us agree that Windows rootkits are hugely problematical, the reason being that an IT administrator -- or anyone else, for that matter -- cannot see them. They install by stealth and remain stealthed. A well-written rootkit can hide files and folders, system processes, registry entries, services, network connections and even pages of memory.

Rootkits themselves, of course, are not dangerous; it is the malware that they hide that does the damage. But the nature of rootkits is such that they can prevent detection of that malicious application. Even the most stringent security policies are useless against this kind of malware.

Think of it like this: Antivirus cannot protect against what it cannot see. Therefore it is important to ensure that security software can prevent rootkits from installing in the first place (or detect and remove rootkits if already installed).

Most heavyweight commercial Windows antivirus products now come prepared to handle rootkits. The most effective will employ behavioural blocking techniques to watch for processes that are known to manipulate other processes, and stop them dead.

Windows encryption allows for rootkit removal
Some versions of Windows, such as Vista for example, come with built-in BitLocker Drive Encryption. That is the perfect tool to help mitigate the risks that rootkits present. BitLocker Drive Encryption offers sophisticated and effective rootkit prevention measures by verifying all the key data structures during the boot process. BitLocker Drive Encryption will abort if it spots anything untowards in the system tampering department.

For those without Vista, don't panic, as all is not lost. All Windows users can enable boot logging via msconfig.exe to create a list of drivers loaded into %SYSTEMROOT% that can be compared against what a booted system thinks is there. Driver discrepancies can be caused by kernel-mode rootkits installing a device driver, which hides everything after booting. Better still, follow best practice and do not allow everyone and their aunt to have administrator rights, as this decreases the opportunity for malware to install rootkits in the first place.

Windows BitLocker + TPM = Rootkit buster
Use BitLocker Drive Encryption for Windows Server and Vista where available. If at all possible, use BitLocker with a Trusted Platform Module (TPM) and throw in two-factor authorisation as well. This presents the double-whammy of validating every boot process component, ensuring it's secure before the volume is decrypted, and adding the assurance of a USB token into the mix for good measure. A TPM is used by BitLocker to store the root encryption key, hardening pre-boot security by a huge margin over hard drive-stored encryption keys, which are far more vulnerable to compromise.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.
 

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in October 2008

 

COMMENTS powered by Disqus  //  Commenting policy

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.