RSA: Microsoft on 'rootkits': Be afraid, be very afraid
There are few strategies for detecting kernel rootkits on an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself.
It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system, according to Dillard and Danseglio.
Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research.
The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.
Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin of Symantec Corp.'s @stake division, who attended the presentation at the RSA conference.
The operating system's powerful application programming interfaces make it easy to mask behaviors on the system. Microsoft's Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said.
Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said. "These people are smart. They're very smart," he said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts