Problem solve Get help with specific problems with your technologies, process and projects.

What is the best way to conduct a rootkit-specific risk assessment?

When dealing with rootkits, many security professionals focus on tools and technology. John Strand explains why developing a security team's ability to deal with rootkits is a much more effective technique.

What is the best way to conduct a risk assessment, specifically concerning rootkits?
Rootkits are the tool of choice for many attackers who want access on a victim's system. With this type of malware, attackers can install their malicious code onto a victim's machine in such a way that is extremely difficult for a user to detect.

Currently there are numerous rootkits available for almost any operating system. Researchers have recently seen some rootkits that almost have a commercial feel to them, designed on a custom basis for a fee to evade many antivirus vendors for a small fee.

When dealing with rootkits and malicious code, many security professionals focus on tools and technology. While this is important, it is not as important as developing a security team's ability to deal with rootkits.

When I work on a certification and accreditation project, I like to set up a scenario where I install a rootkit on a system and ask the security team to identify and remove it. Rather then relying on documented procedures or proof that they are updating their antivirus on a regular basis, I like to see how the team responds when they have a live situation to resolve.

As for technology, I like working with RootkitRevealer, F-Secure Corp.'s BackLight tool and the freely available IceSword. It is always a good idea to get a second (or possibly even a third) opinion when dealing with rootkits because they are constantly evolving to bypass rootkit-detection techniques and technologies.

More information:

  • Get the latest rootkit news and research.
  • A reader asks John Strand, "Is a Master Boot Record (MBR) rootkit completely invisible to the OS?"
  • This was last published in October 2008

    Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.