Rootkits are diverse, elusive, and difficult to get rid of. These basic pointers will help you combat this escalating threat.
A rootkit is a piece of software that enables the continued, privileged access to a computer, all the while hiding its presence from users and administrators. Although rootkits themselves might not be dangerous, the software or processes they hide almost always are. Unlike a virus, a rootkit gains administrative privileges to your machine. Rootkits are the Mac-daddy of viruses, causing the most damage and headache. The biggest issue with rootkits is that once on a system, they are a challenge to detect and remove, because their main purpose is obfuscation.
But you don't have to be at the mercy of rootkits. You can be prepared to deal with these nasty pieces of software should they show up. And even better, you can keep them from happening in the first place.
1: Protect those machinesYou're not going to stop everything all the time. But that doesn't mean you should forgo protection. One of the first things I do on a new Linux system is install rkhunter. This tool is an outstanding defense against rootkits. If you're not using the Linux operating system then you need to use trusted tools like AVG Anti Rootkit or ComboFix [edit: link corrected] to take on the task.
2: Be on the lookout for signs
Although rootkits don't actively give you signs you are compromised, there are ways to tell. If you've received reports from various sources that you are sending out massive amounts of spam, you most likely have a botnet, which is probably being hidden by a rootkit. If your server is a Web server, and you are seeing strange redirect behavior, you might be a "winner." For UNIX and UNIX-like systems, look for altered versions of executables or directory structures. If you issue the ls /usr/bin or ls /usr/sbin command and see that your normal applications seem to be named incorrectly, there is a high possibility you have been hit by a root kit. Of course, the easiest method of detection is to regularly run rkhunter (or a similar tool, as described above).
3: Turn it off
If you have been infected, the first thing you should do is shut that machine off! Then, remove the drive, mount it on another system (preferably a non-Windows system), and get your data off the drive. There is a chance that the OS will have to be re-installed, so you want to make sure you have your data off. But having that infected system up and running is only doing more damage, especially if there is a spam bot or the like running.
4: Never go without Tripwire
Tripwire is designed to monitor changes in files/directories on a given configured system. One of a rootkit's primary purposes is to conceal malicious software. Oftentimes, they will do this by renaming files or folders or installing similarly named files/folders. You can detect such behavior at any time using a tool like Tripwire. It is critical that you install Tripwire immediately upon installing the OS. Otherwise, rootkits could already be installed and Tripwire will be less than effective.
5: Consider memory dumping
This is a far more challenging method, and it's most often left to specialists who have access to non-public tools or code. You can force a kernel (or even a complete) memory dump of the infected — or possibly infected — system that will capture any possible rootkit in action. That memory dump can then be analyzed with a debugging tool. During the analysis, the rootkit can't obfuscate its actions and will be detected. Of course, at this point, you are most likely going to have to just pull off your data and reinstall.
Rootkits are the "big nasty" of infections. The best possible strategy is to install software to prevent their installation in the first place. The biggest issue with rootkits is that they can be heinous enough to require you to remove your data and reinstall anyway. Be proactive on this front and install every necessary precaution you can.
- 10+ things you should know about rootkits
- The top 10 spam botnets: New and improved
- The 10 faces of computer malware
Have you had to grapple with rootkits on your own or your clients' systems? What did you do to prevent/remove them?