Skip the navigation

RSA: Microsoft on 'rootkits': Be afraid, be very afraid

By Paul Roberts
February 17, 2005 12:00 PM ET
There are few strategies for detecting kernel rootkits on an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself.
It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system, according to Dillard and Danseglio.
Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research.
The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.
Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin of Symantec Corp.'s @stake division, who attended the presentation at the RSA conference.
The operating system's powerful application programming interfaces make it easy to mask behaviors on the system. Microsoft's Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said.
Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said. "These people are smart. They're very smart," he said.
Reprinted with permission from Story copyright 2014 International Data Group. All rights reserved.
Our Commenting Policies
Internet of Things: Get the latest!
Internet of Things

Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!