Rooting out a rootkit: Stage four -- Preventative measures

How can you avoid future rootkit attacks? Find out what the experts have to say.

How can you avoid being infected in the future? Read what the experts have to say, or click here to go back to the scenario.

Kurt Dillard: There are a many countermeasures you can implement. Here are five of the most effective:

    1. Avoid logging in with an account that has administrative privileges. You can use tools such as Window's built-in RunAs or MakeMeAdmin.
    2. Run a dedicated firewall for your entire network as well as software firewalls distributed on each host, such as the Windows Firewall (included with Windows XP Service Pack 2).
    3. Keep Windows and all of your other software up to date on patches and service packs by using tools such as Automatic Updates if you only have a few systems. If you manage numerous computers, use Windows Server Update Services.
    4. Use modern antivirus software with the most current signature libraries. For more information about antivirus vendors, see the Microsoft Antivirus Partners page.
    5. Use up-to-date spyware protection tools such as Microsoft's Windows AntiSpyware software.

For more ideas on minimizing the risk of getting hit by this type of malware take a look at my recent tech tips.

Lawrence Abrams: The most important step in security is to make every effort to prevent users from having to log in as an administrator to get their work done. Understandably, with the current Windows architecture, that is not always possible. When malware infects a computer, it runs at the same security level as the user logged in with. Therefore if that user is an administrator, the malware has administrative rights as well. This gives the malware full access to your computer.

Rootkits, whether from targeted or viral worms, can be prevented using the same best practices when trying to prevent other malware.

    1.Use a firewall to block commonly hacked Windows TCP ports like 20, 21, 23, 80, 135, 139, 443 and 445. By blocking these ports from the outset, you will greatly reduce your risk of getting hacked in the first place. The best practice would be to block every port, and only map a port to a particular machine that needs it open. Most recent worms exploit vulnerabilities in programs that utilize these ports. If a computer needs to use one of the above ports, then the firewall should strictly specify which remote computers can connect to it via that port instead of making it wide open.
    2. Furthermore, each computer should always have the latest security updates and be running an antivirus program that is updated daily. New definitions for antivirus software are released often, and it is important to always have the latest definition.
    3. In addition to antivirus software, you should also have at least two antispyware applications, such as Spybot -- Search and Destroy, Webroot Software Inc.'s Spy Sweeper or Lavasoft's Ad-Aware installed on your machine. Daily or weekly scans with the most recent updates should initiate automatically to take full advantage of the latest definitions.
    4. Last but not least, teach users good practices. They should know not to click on Internet ads, links in instant messages from strangers and attachments that are from unknown people or appear strange. IT staff should immediately send out an e-mail to all staff users if a new worm is in the wild and describe the attachments, configuration or wording.

With a firewall in place, plus antimalware software, current security updates and good Internet guidelines for users, you should stay clear of these types of infections.

Kevin Beaver: As long as a computer is operated by a human or connected to a network, there's no definitive way to guarantee complete security. You can, however, install antispyware, rootkit detection and anomaly monitoring software to keep things locked down. Ideally, you'll install all three since you've already been burned once and want to avoid going through it again. In addition, it's clichÉ, but make sure you're disciplined in maintaining current patches on all operating systems and applications.

Go back to the initial user problem: Rootkit scenario

About the experts: Expert bios are available on the scenario page.

Read more on Antivirus, firewall and IDS products