Q

What is the best way to conduct a rootkit-specific risk assessment?

When dealing with rootkits, many security professionals focus on tools and technology. John Strand explains why developing a security team's ability to deal with rootkits is a much more effective technique.

What is the best way to conduct a risk assessment, specifically concerning rootkits?
Rootkits are the tool of choice for many attackers who want access on a victim's system. With this type of malware, attackers can install their malicious code onto a victim's machine in such a way that is extremely difficult for a user to detect.

Currently there are numerous rootkits available for almost any operating system. Researchers have recently seen some rootkits that almost have a commercial feel to them, designed on a custom basis for a fee to evade many antivirus vendors for a small fee.

When dealing with rootkits and malicious code, many security professionals focus on tools and technology. While this is important, it is not as important as developing a security team's ability to deal with rootkits.

When I work on a certification and accreditation project, I like to set up a scenario where I install a rootkit on a system and ask the security team to identify and remove it. Rather then relying on documented procedures or proof that they are updating their antivirus on a regular basis, I like to see how the team responds when they have a live situation to resolve.

As for technology, I like working with RootkitRevealer, F-Secure Corp.'s BackLight tool and the freely available IceSword. It is always a good idea to get a second (or possibly even a third) opinion when dealing with rootkits because they are constantly evolving to bypass rootkit-detection techniques and technologies.

More information:

  • Get the latest rootkit news and research.
  • A reader asks John Strand, "Is a Master Boot Record (MBR) rootkit completely invisible to the OS?"
  • This was last published in October 2008

    Dig Deeper on Malware, Viruses, Trojans and Spyware

    PRO+

    Content

    Find more PRO+ content and other member only offers, here.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close