The word rootkit strikes fear in the hearts of most security professionals. These specially crafted pieces of malicious code are designed to provide intruders with a means to gain administrative control of a system. In fact, their very name is derived from the Unix/Linux term for the administrative user: "root." Making them even more insidious is the fact that rootkits are designed to evade detection.
Through the malware's control of the underlying operating system, they're often able to mask their presence from traditional antivirus software. What's a midsized business to do? In this tip, we'll review how to remove rootkits from your organization.
Preventing a rootkit infection
First and foremost on your agenda should be protecting your systems from becoming infected by a rootkit in the first place. It goes without saying that you should have current antivirus software installed on your computer that defends against known attacks. Unfortunately, while antivirus software does provide a strong defense against many types of malicious code, it's not especially effective against rootkits, which install themselves into the operating system through two primary mechanisms: exploiting an operating system vulnerability or depending upon user error.
As any Windows administrator who has lived through a "Patch Tuesday" can attest, Microsoft and other operating system vendors release security updates at an almost dizzying pace. Nary a month goes by that you don't see another critical security update deployed to your systems. While this might seem tedious, it's also the key to protecting yourself against the spread of rootkits that exploit OS vulnerabilities. Studies have shown that system administrators are often slow to deploy patches, creating a window of opportunity for the authors of malicious code to exploit vulnerabilities and use them to poke a rootkit into a system undetected. It's critical that you not only deploy updates in your organization, but that you monitor the patch status of systems to ensure compliance.
You also need to protect users from themselves. The second leading cause of rootkit infections is users, intentionally or unwittingly, helping to install them on systems. This usually occurs when a user downloads unauthorized software from the Internet that contains a Trojan component, which then puts a rootkit into the operating system. Here are some quick tips that you can provide to users to help them protect their systems from infection:
- Never install software from an unknown or unapproved source.
- Pay attention to security warnings when installing software. If unsure whether to accept a warning, contact a system administrator for assistance.
- Watch your system for signs of unusual activity, such as slow performance and hard drive activity when idle. Report anything abnormal to a system administrator.
That said, users will continue to find new and creative ways to circumvent security policies. While it's critical that you educate them on the importance of following these policies, you also must remain vigilant for the possible presence of rootkits on your network.
Traditional antivirus software will detect some rootkits, and it's very important to use this tool to monitor and protect all of the systems on your network. If you haven't done so already, you should invest in a centralized antivirus monitoring system that both ensures systems have current protection and provides you with a central dashboard and alerting capability to identify possibly infected systems. If you're using off-the-shelf antivirus software, you may be pleasantly surprised to learn that centralized products are often less expensive than buying individual protection for each computer on your network.
As mentioned earlier, antivirus software is not sufficient to detect all rootkits, which are designed to avoid detection at all costs. If you suspect a rootkit infection, you may wish to supplement your antivirus software with specialized software packages designed to ferret out rootkits. Examples of these packages include Microsoft's RootkitRevealer for Windows and the chkrootkit tool for Linux-based systems. Both of these packages are available for download at no cost.
Another more expensive option is to use file-integrity-monitoring software, such as the tools available from Tripwire Inc. These packages monitor all of the critical files on your system by performing periodic cryptographic hashes of each file and comparing those hashes to an established baseline. Deviation from the baseline may indicate the presence of malicious software on the system and merits further investigation. Due to the expense of these packages, they are not commonly used on workstations but rather are reserved for server monitoring in many environments.
Recovering a "rooted" system: How to remove the rootkits
If you suspect one of your systems has been "rooted," you don't have many options. While it's possible to try to reverse the infection and uninstall the rootkit, this is a difficult and perilous process. If you don't manage to completely remove the rootkit, it's likely that it will be able to repair itself and reinfect your system. Instead, most security professionals recommend that you completely rebuild any system with a known or suspected rootkit infection.
While rootkits are a scary proposition, it is certainly possible to defend your organization against them by combining the proactive implementation of controls such as antivirus software and user education with proven monitoring techniques.
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.