Rootkits: Managing the threat with prevention measures

Here are a couple of steps to mitigate the surreptitious threat that rootkits pose:

• More on rootkit education Expert advice collection: Rootkit education Comparing rootkit detection tools

  Use a rootkit detection tool. There are a number of these on the market. Sysinternals, mainly in response to the Sony DRM rootkit fiasco, developed a freeware tool called RootkitRevealer. Not all rootkits can be detected using software such as this, but it's a good first step to clean up the obvious problems.
• Take a "diff" of your system. This one is for the more difficult infestations. For Windows users, Locate32 is a tool that creates a database of the names of all of the files on your hard drive. Although the primary purpose of this tool is to serve as a poor man's desktop search, it can track differences in files from one database snapshot to another. That turns out to be a very handy way to detect significant changes in your system directory, for example -- a telltale sign of a rootkit installation.

As the old adage goes, an ounce of prevention is worth a pound of cure. These preventative measures will help ensure rootkits never make it onto your systems:

• Use some special Windows Registry tweaks. One such modification, for instance, is to create a limited set of permissions for the HKLM\SYSTEMCurrentControlSet\Services keys so that only authorized installer services can make entries there.
• Buy best-of-breed commercial antivirus software. Newer versions of common AV solutions are beginning to include heuristic rootkit detection technology, which coupled with the distributed management capabilities of these business solutions will protect a lot of corporate desktops that are not currently shielded.
• Consider a different browser platform. This is common advice, but it bears repeating here. Internet Explorer 6 has had a vast number of vulnerabilities and security holes since its release in 2001 with Windows XP. Rootkits often find IE a ripe vector for infiltrating systems and bypassing other defense mechanisms. Using Mozilla Firefox or another alternative browser is a relatively simple way to close a lot of significant doors into your Windows system.
• Deploy firewalls both at the perimeter and internally. The common wisdom used to be that only perimeters needed firewalls -- your internal machines were trustworthy since they were located in a controlled environment. However, one machine with a rootkit installed strips that control away. Use a software-based firewall on your internal systems to seriously hinder the ability of rootkits to spread internally.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Spyware Protection PatchGuard defends against rootkits in Windows Vista How did a rootkit get on my Windows machine? Determining the proper Microsoft malware removal tool Malware prevention and detection webcast series Rootkit and malware detection and removal guide Preventing malware with tools, patches and education A proper set of antivirus tools? Free tools defend against malicious Web sites in the enterprise Are two antispywares better than one? Controlling Web surfing with Content Advisor Spyware Protection Research Intrusion Detection and Prevention Rootkit and malware detection and removal guide Office 2007: A look at its security features Hunting down a hacker Use a GPO to defend against Trojan downloads Security scan results: Take them with a grain of salt Anatomy of the Blue Pill attack Stration worm targets Windows machines Password change time frames Challenge 9: The Root of the Problem Q & A: The evolution of spyware Malware and other Windows security threats Prevent malware infection with malware detection tools Does Vista mean the end of malware? Zero-day attack prevention Use patching to protect your network from threats Remove bots from your system -- a four-step process Define server roles, counterattack zero-day threats Harden your network services and contain zero-day threats Step-by-Step Guide: Finding and removing a rootkit Step 1: Is there a problem Step 3: Clean up the mess Malware and other Windows security threats Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.