Five tips for dealing with rootkits

Five tips for dealing with rootkits

Version 1.0
February 22, 2011

A rootkit is a piece of software that enables the continued, privileged access to a computer, all
the while hiding its presence from users and administrators. Although rootkits themselves
might not be dangerous, the software or processes they hide almost always are. Unlike a virus,
a rootkit gains administrative privileges to your machine. Rootkits are the Mac-daddy of viruses,
causing the most damage and headache. The biggest issue with rootkits is that once on a
system, they are a challenge to detect and remove, because their main purpose is obfuscation.
But you dont have to be at the mercy of rootkits. You can be prepared to deal with these nasty
pieces of software should they show up. And even better, you can keep them from happening
in the first place.

1: Protect those machines

Youre not going to stop everything all the time. But that doesnt mean you should forgo
protection. One of the first things I do on a new Linux system is install rkhunter. This tool is an
outstanding defense against rootkits. If youre not using the Linux operating system then you
need to use trusted tools like AVG Anti Rootkit or ComboFix [edit: link corrected] to take on the
task.

2: Be on the lookout for signs

Although rootkits dont actively give you signs you are compromised, there are ways to tell. If
youve received reports from various sources that you are sending out massive amounts of
spam, you most likely have a botnet, which is probably being hidden by a rootkit. If your server
is a Web server, and you are seeing strange redirect behavior, you might be a winner. For
UNIX and UNIX-like systems, look for altered versions of executables or directory structures. If
you issue the ls /usr/bin or ls /usr/sbin command and see that your normal applications seem to
be named incorrectly, there is a high possibility you have been hit by a root kit. Of course, the
easiest method of detection is to regularly run rkhunter (or a similar tool, as described above).

3: Turn it off
If you have been infected, the first thing you should do is shut that machine off! Then, remove
the drive, mount it on another system (preferably a non-Windows system), and get your data
off the drive. There is a chance that the OS will have to be re-installed, so you want to make
sure you have your data off. But having that infected system up and running is only doing more
damage, especially if there is a spam bot or the like running.

4: Never go without Tripwire

Tripwire is designed to monitor changes in files/directories on a given configured system. One
of a rootkits primary purposes is to conceal malicious software. Oftentimes, they will do this by
renaming files or folders or installing similarly named files/folders. You can detect such
behavior at any time using a tool like Tripwire. It is critical that you install Tripwire immediately

Page 1
Copyright 2011 CNET Networks, Inc., a CBS Company. All rights reserved. TechRepublic is a registered trademark of CNET Networks, Inc
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html

Five tips for dealing with rootkits

upon installing the OS. Otherwise, rootkits could already be installed and Tripwire will be less
than effective.

5: Consider memory dumping

This is a far more challenging method, and its most often left to specialists who have access to
non-public tools or code. You can force a kernel (or even a complete) memory dump of the
infected or possibly infected system that will capture any possible rootkit in action. That
memory dump can then be analyzed with a debugging tool. During the analysis, the rootkit
cant obfuscate its actions and will be detected. Of course, at this point, you are most likely
going to have to just pull off your data and reinstall.

Prevention
Rootkits are the big nasty of infections. The best possible strategy is to install software to
prevent their installation in the first place. The biggest issue with rootkits is that they can be
heinous enough to require you to remove your data and reinstall anyway. Be proactive on this
front and install every necessary precaution you can.

Additional resources
10+ things you should know about rootkits
The top 10 spam botnets: New and improved
The 10 faces of computer malware

Page 2
Copyright 2011 CNET Networks, Inc., a CBS Company. All rights reserved. TechRepublic is a registered trademark of CNET Networks, Inc
For more downloads and a free TechRepublic membership, please visit http://techrepublic.com.com/2001-6240-0.html