How To Defeat A Rootkit... The Two Types Of Detection

In looking at how to defeat a rootkit, there are two ways to approach detecting rootkits... manually and automatically, using software.

Let's get a feel for the pros and cons of each of these detection approaches...

1. How To Defeat A Rootkit...
Is Software Reliable?

First of all, let's make it clear from the very start that any type of rootkit detection software you might consider using will be less effective if the system has already been corrupted.

Detecting rootkits in this situation is really tough, but there are several different techniques that can potentially be employed and new ones are being developed. None, however, are perfect.

To make matters worse, rootkit programmers are aware of these techniques and are constantly developing their rootkits to evade new detection methods. In effect, just as with other malware, it's become a cat-and-mouse game between the bad guys and those developing protection.

What that means is there is currently no such thing as a perfect rootkit detector. The good news is that it also means there is probably no such thing as a perfect rootkit, either.

This situation means that users should not lock into the idea that one particular rootkit detector is "the best".

Indeed, for how to defeat a rootkit, I suggest you adopt the practice of using more than one detector... for a selection of software, see Commercial And Free Rootkit Scanner Downloads.

You should also ensure that you regularly update your rootkit detectors, as the current cat-and-mouse game means that products are constantly evolving.

2. How To Defeat A Rootkit...
Manually Detecting Rootkits

Rootkits work by modifying and adapting the code of the tools and libraries that help all the system programs work -- see How To Defeat A Rootkit... What Is A Rootkit for more information.

The most elusive rootkits are those that change the kernel through various methods, such as VxDs, loadable Unix and Linux modules, and virtual external drivers.

If the operating system of your computer is already contaminated with this type of rootkit, its reliability and trustworthiness is low. For example, if you request a report or a list of all the running programs, such as within Task Manager, you could just as well get a report generated by the rootkit -- not the actual program list.

Similarly, there will be no visible rootkit entries in the Windows Startup folder or other startup locations.

So, manual rootkit detection that relies on the live system can be difficult. However, it's not impossible -- mostly because currently there are no rootkits that can hide themselves completely.

So, what are the reliable ways of manually detecting rootkits?

I. How To Defeat A Rootkit Using A System Copy

If an uninfected copy of the test system is available as a reference, rootkits can be detected by doing a file-by-file comparison between the current system and the uninfected copy.

Here the infected system is treated just as data, so the cloaking effect of the rootkit is not in play. In this situation, the rootkit and its payload can be easily discovered.

However, this is a situation that would be rarely encountered in practice, as almost no one has a reference copy of their system. Systems are not static anyway... legitimate changes are constantly taking place within a system and such changes make simple file comparisons difficult.

II. How To Defeat A Rootkit Using An Alternative Boot Device

The best rootkit detection method requires you to shut down the system and check its storage by choosing an alternative boot device, such as a CD Rom or a USB drive.

Because the system boots from an alternative media source, you will be able to bypass the rootkit. So, now you know how to prevent the rootkit from becoming active, but not how to detect and remove it.

The next step is to use a good antivirus program, such as , that will track down rootkits by using the standard operating system (OS) calls... but remember that complex rootkits will protect themselves by suspending their activity when they detect a scan has been initiated.

III.. How To Defeat A Rootkit With Data Wiping

Once rootkits are detected, you should do a data wipe instead of a delete or format. Data wiping is a more secure way of eliminating the rootkit problem to guard privacy and security at a higher level -- formatting alone may not remove the rootkit.

For how to conduct a secure data wipe, see the section Permanently Delete Files To Securely Remove Data

After a fresh installation of the operating system you should monitor the files and save the logs. Also, do this after installing other software titles and compare the reports. Now you'll be able to compare these logs with your current live system to determine whether there has been a further rootkit infection.

Although this system is a bit complicated and not advisable for the majority of home users, it is also the most effective rootkit prevention technique.

Specialists refer to this as "fingerprinting" -- during the process a hash function is used to track down changes in the data. Compression of the hash files will reveal changes that were not made intentionally by the system administrator, thus revealing any hidden rootkits.

3. How To Defeat A Rootkit... Other Rootkit Articles

  1. How To Defeat A Rootkit... What Is A Rootkit?
  2. Commercial And Free Rootkit Scanner Downloads
  3. HowTo Detect Sony Rootkit Installations


New! Comments

Have your say about what you just read! Leave me a comment in the box below.