Step-by-Step Guide: Finding and removing a rootkit

It's difficult -- but not impossible -- to be totally sure that your system is 100% rootkit free, says Windows security expert Kevin Beaver. In this step-by-step guide, Beaver shows you how to strengthen your Windows systems against the rootkit threat.

In a nutshell, rootkits are nasty programs that can load on boot or temporarily live in memory and run in user mode (aka ring 3 for you processor gurus) and kernel mode (aka protected mode or ring 0).

Rootkits became pervasive in the Unix world, but the technology and its threat are slowly and surely bleeding into the Windows environment. They manipulate Windows by taking over the operating system -- even inside a virtual machine -- with the goal of hiding malware and controlling any or all aspects of the system.

Rootkits are relatively easy to install on victim hosts. To upload a rootkit, a determined attacker can do everything from exploit a Windows vulnerability to crack a password or even obtain physical system access. They can even con users into running an executable file in an email attachment or via a hyperlink distributed via email or instant messaging. Once they're in place, as you're likely to find out, rootkits aren't so easy to find or get rid of.

The rootkit threat is not as widespread as viruses and spyware. Given this fact, and the lack of a truly effective rootkit prevention solution, handling rootkits is largely a reactive process.

Here are various techniques and tools for finding rootkits and removing them from your systems if you suspect an infection:

  Finding and removing a rootkit
   Home: Introduction
   Step 1: Is there a problem
   Step 2: Choose the right scanning tool
   Step 3: Clean up the mess
   Step 4: Bulletproof your efforts
Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including Hacking For Dummies, Hacking Wireless Networks For Dummies, Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ Copyright 2006 TechTarget

Read more on Microsoft Windows software