Page 1 of 4
One critical aspect of system building is staying on top of the latest security threats. Another is having the best detection tools available to keep those threats at bay. The last thing you need is to deliver an infected Windows system to a customer—or to become susceptible yourself to some new form of highly undetectable, "stealth," malware.
One of the newest threats in the wild—what security mavens mean by "loose on the net"—is called a "rootkit," or RK for short. While a rootkit by itself causes no damage, it attempts to hide the presence of other malware, such as key-logging Trojans, viruses, and worms.
A rootkit differs from a virus in that it doesn’t seek to reproduce itself. Still, some modern viruses incorporate rootkits into their code libraries, very often to take advantage of a rootkit’s ability to remain hidden and elude detection. Also, rootkits borrow a page from typical virus behavior, in that they may seek to avoid detection by taking over for one or more specific system component files—in essence, adding their own agenda to whatever purpose the original files they replace may have served.
Rootkits often include components to open back doors on systems. Often they do so by incorporating stealthy remote access software that opens a system to unwanted, uninvited outside operations, much as many pieces of spyware do. But here's another way that rootkits differ from most spyware and viruses: They hide everything that might reveal their presence and activity on a system, including logins, processes, files, and logs. So little or no evidence of a rootkit's presence is ever available.
Also, rootkits can insinuate themselves into an operating system’s core components, so they run as part of the kernel with the same unlimited rights and privileges typically granted to such code. Though many rootkits also often include user mode components (necessary for any kind of user interaction or information display), it’s their kernel capabilities combined with their profound stealth that makes them such a nasty species of malware.
The Trouble With Rootkits
What make rootkits truly insidious is that typical anti-virus and anti-spyware packages have great difficulty identifying them. That's because a rootkit can establish itself as part of the Windows boot-up code, an area frequently unchecked by detection programs.
To make matters worse, there aren’t any automated cleanup tools available—at least for now—that can remove a rootkit once it takes up residence on a PC. In fact, security experts Mark Russinovich and Bryce Cogswell, principals at Sysinternals Freeware and Winternals Software (and the creators of the RootkitRevealer utility I feature in this Recipe), both agree that once a rootkit is contracted, the only way to get rid of it is to wipe the hard disk and reinstall everything. Woe betides those who come down with a rootkit infection and don’t have a recent backup to restore!
The only exception to this is the Sony rootkit that Russinovich discovered recently. It originates from Sony Music CDs as an undocumented part of their digital rights management (DRM) software. In response to widespread consumer outrage, Sony released this patch to permit users to remove this rootkit from their computers; it does so by uninstalling a driver named "MediaJam" that makes this stealth monitor work.
As this Recipe goes to press, none of the major security suites offer a rootkit detection tool. But at least one suite vendor does plan to include such a tool in its next planned release. F-Secure plans to include a rootkit-detection tool called BlackLight in its forthcoming Internet Security 2006 suite. A free beta version of this tool is available until January 1, 2006, at the BlackLight beta page.
I didn’t cover the F-Secure tool for this TechBuilder Recipe because in my opinion, Sysinternals' RootkitRevealer makes a better choice for system builder security toolkits. That's not only because it’s free and because Windows kernel gurus Russinovich and Cogswell wrote and recommend it. It's also because the pair's Sysinternals RootkitRevealer page offers the download, up-to-date information, and a populated forum.
One caveat: When deploying RootkitRevealer, remember to research any anomalies the utility finds before concluding that a system has a rootkit running. As I explain later in this Recipe, false positives—or apparent anomalies that are benign rather than overt signs of rootkit presence—are fairly common when using the RootkitRevealer tool.
1
|
2
|
3
|
4
|
Next >>
|
How To Achieve Lower PC Energy Costs In An Hour Or Less Whether building a new system, or fine-tuning an existing one, with careful component selection and a little tweaking, significant energy savings can be realized. |
|
Hot New PC Chassis For Any Budget White box builders and DIYers take heart -- there are more ready-to-load enclosures for everything from Mini ATX PCs to Super Towers than ever before. We run down prices for bargains and the big-ticket babies alike. |
|
2009 Partner Programs Guide: 5-Star Systems & Peripherals Programs Our annual guide to systems, components and peripherals vendor partner programs. |
 More
Slide Shows |
