Rootkit removal and detection with Windows encryption

Rootkits are hard to get rid of, and even harder to find in the first place. Learn how to detect and remove rootkits with Windows encryption and BitLocker.

This tip is part of a series of articles on Windows security strategies. Make sure to check back each week for new Windows "how-to" advice.

Windows password security: Systems tools and policy
Securing Windows services to prevent hacker attacks
How to prevent SQL Server and Internet Explorer hack attacks
How to detect and remove rootkits with Windows encryption     
Windows security: Remote Desktop, hosts file and keyboard lock down

Rootkits, derived from the most powerful of Unix system accounts known as 'root', have become a widespread concern for Windows users.

Some rootkits have been installed without obvious malice, such as the infamous Sony BMG copy-prevention incident, which installed rootkits from certain music CDs a couple years ago. These rootkits inadvertently opened up security holes for Windows users that could have been exploited by worms and viruses. Most rootkits are plainly malicious, however, and shouldn't be anywhere near Windows computers.

Rootkit removal and detection
OK, so let us agree that Windows rootkits are hugely problematical, the reason being that an IT administrator -- or anyone else, for that matter -- cannot see them. They install by stealth and remain stealthed. A well-written rootkit can hide files and folders, system processes, registry entries, services, network connections and even pages of memory.

Rootkits themselves, of course, are not dangerous; it is the malware that they hide that does the damage. But the nature of rootkits is such that they can prevent detection of that malicious application. Even the most stringent security policies are useless against this kind of malware.

Think of it like this: Antivirus cannot protect against what it cannot see. Therefore it is important to ensure that security software can prevent rootkits from installing in the first place (or detect and remove rootkits if already installed).

Most heavyweight commercial Windows antivirus products now come prepared to handle rootkits. The most effective will employ behavioural blocking techniques to watch for processes that are known to manipulate other processes, and stop them dead.

Windows encryption allows for rootkit removal
Some versions of Windows, such as Vista for example, come with built-in BitLocker Drive Encryption. That is the perfect tool to help mitigate the risks that rootkits present. BitLocker Drive Encryption offers sophisticated and effective rootkit prevention measures by verifying all the key data structures during the boot process. BitLocker Drive Encryption will abort if it spots anything untowards in the system tampering department.

For those without Vista, don't panic, as all is not lost. All Windows users can enable boot logging via msconfig.exe to create a list of drivers loaded into %SYSTEMROOT% that can be compared against what a booted system thinks is there. Driver discrepancies can be caused by kernel-mode rootkits installing a device driver, which hides everything after booting. Better still, follow best practice and do not allow everyone and their aunt to have administrator rights, as this decreases the opportunity for malware to install rootkits in the first place.

Windows BitLocker + TPM = Rootkit buster
Use BitLocker Drive Encryption for Windows Server and Vista where available. If at all possible, use BitLocker with a Trusted Platform Module (TPM) and throw in two-factor authorisation as well. This presents the double-whammy of validating every boot process component, ensuring it's secure before the volume is decrypted, and adding the assurance of a USB token into the mix for good measure. A TPM is used by BitLocker to store the root encryption key, hardening pre-boot security by a huge margin over hard drive-stored encryption keys, which are far more vulnerable to compromise.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Read more on Privacy and data protection

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.