Problem solve Get help with specific problems with your technologies, process and projects.

How can I prevent an FU rootkit from spreading throughout a network?

Information security threats expert, Ed Skoudis, explains the best way to stop an FU rootkit outbreak. Learn how to clean up your infected machine and prevent the malware from spreading across your network.

I believe that a user at my company has a rootkit installed on her laptop. Research on the Internet leads me to believe that the malware is an updated version of the FU rootkit. I'm worried that this infection could spread. Are there any steps I can take to isolate this offending malware so it doesn't infect our network systems?
The good news is that the most popular versions of the FU rootkit are not self-propagating, and they will not single-handedly penetrate other systems on your network. The bad news is that the FU rootkit may have been installed by some other form of malware (such as a worm or a bot) that could be using FU to hide itself. In that case, FU could be spread; not in and of itself, but by another pathogen on your network.

How do you prevent that from occurring? First, thoroughly clean the infected machine. One way to remove the pathogens from the system would be to run a couple of passes from two different antivirus tools. While that might eliminate the pathogen, you could go even further -- back up the user data from the machine, reformat the hard drive and then reinstall the operating system. That takes time, of course, but will give you a more thorough and trustworthy clean system.

To prevent the malware from spreading, make sure your network's systems have up-to-date antivirus tools with real-time protection. Carefully scrutinize any systems on which the users of the infected system have accounts, including server machines and those of other clients. The malware may have spread using the credentials of the users logged into "patient zero." Also, unless you have a defined business need for protocols like those supporting file and print sharing (using TCP and UDP ports 135-139 and 445), filter these Windows-associated systems at your network borders, and even on your internal network. If you do need these protocols, you likely only need to support them to and from file servers, printers, and perhaps Exchange mail servers. You most likely don't need them from client to client. Consider such filters as a preventative step for the next time around. If you are into scripting, you could write a login script on other systems that will look for the registry keys you found on the one infected machine. Then, you can see if the keys have been compromised.

This was last published in September 2006

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.