What is the best way to conduct a rootkit-specific risk assessment?

When dealing with rootkits, many security professionals focus on tools and technology. John Strand explains why developing a security team's ability to deal with rootkits is a much more effective technique.

What is the best way to conduct a risk assessment, specifically concerning rootkits?
Rootkits are the tool of choice for many attackers who want access on a victim's system. With this type of malware, attackers can install their malicious code onto a victim's machine in such a way that is extremely difficult for a user to detect.

Currently there are numerous rootkits available for almost any operating system. Researchers have recently seen some rootkits that almost have a commercial feel to them, designed on a custom basis for a fee to evade many antivirus vendors for a small fee.

When dealing with rootkits and malicious code, many security professionals focus on tools and technology. While this is important, it is not as important as developing a security team's ability to deal with rootkits.

When I work on a certification and accreditation project, I like to set up a scenario where I install a rootkit on a system and ask the security team to identify and remove it. Rather then relying on documented procedures or proof that they are updating their antivirus on a regular basis, I like to see how the team responds when they have a live situation to resolve.

As for technology, I like working with RootkitRevealer, F-Secure Corp.'s BackLight tool and the freely available IceSword. It is always a good idea to get a second (or possibly even a third) opinion when dealing with rootkits because they are constantly evolving to bypass rootkit-detection techniques and technologies.

More information:

  • Get the latest rootkit news and research.
  • A reader asks John Strand, "Is a Master Boot Record (MBR) rootkit completely invisible to the OS?"
  • This was last published in October 2008

    Dig Deeper on Malware, Viruses, Trojans and Spyware



    Find more PRO+ content and other member only offers, here.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: