Q

What tools can remove rookits or prevent their installation?

Once installed, rootkits can stealthily monitor your traffic and keystrokes. In this SearchSecurity.com Q&A, information security threats expert Ed Skoudis offers four ways to keep the malware off of your systems in the first place.

This Content Component encountered an error
What are the latest techniques to prevent the installation of rootkits?
There are three common types of defenses against rootkit installation, and you should vigorously employ all three.

First, keep your systems patched. When Microsoft (or another operating system vendor you rely on) releases security patches, test them quickly and apply them.

Second, do not run your browser or email reader from an account that has local admin privileges. A rootkit needs admin privileges in order to install malicious device drivers. Only use admin-level accounts when they are absolutely required, such as when you install new software or change the configuration of the machine. If you have a single-user machine, run the Microsoft control called the local user manager (Start, Run, then type lusrmgr.msc). This control, affectionately known as the "Loser Manager" because of the "lusr" spelling in its file name, can be used to administer accounts and groups. Create one without admin privileges, and then use that account for surfing and email.

A third way to prevent rootkit infection is to install local security tools on your machine, including an antivirus tool, an antispyware program and a personal firewall. Make sure you have all three.

A fourth category of defense only for enterprises are the so-called host-based intrusion prevention systems. Products like Cisco Systems Inc.'s Security Agent and McAfee Inc.'s Entercept, for example, monitor various applications and prevent them from making certain system calls that might be associated with buffer-overflow exploitation or the installation of a rootkit.

Beyond those preventative defenses, don't forget that there are many good after-the-fact rootkit detectors out there. These tools look for the tell-tale signs of rootkit installation, such as hidden files, hidden registry keys, and, for some of the tools, hidden processes. RootkitRevealer, from Microsoft's Sysinternals group, was one of the first of the free tools in this category of rootkit detectors. Other free products include F-Secure Corp.'s Blacklight, Sophos' Anti-Rootkit, McAfee's Rootkit Detective and Trend Micro Inc.'s RootkitBuster.

More information:

  • See what a rootkit or rootkit hypervisor can do to your operating system.
  • Many debate the value of host-based intrusion prevention systems. Mike Chapple explains who has the wrong idea.
  • This was first published in March 2007

    Dig deeper on Emerging Information Security Threats

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchCloudSecurity

    SearchNetworking

    SearchCIO

    SearchConsumerization

    SearchEnterpriseDesktop

    SearchCloudComputing

    ComputerWeekly

    Close