How to detect and remove rootkits with Windows encryption

Rootkits, derived from the most powerful of Unix system accounts known as 'root', have become a widespread concern for Windows users.

Some rootkits have been installed without obvious malice, such as the infamous Sony BMG copy-prevention incident, which installed rootkits from certain music CDs a couple years ago. These rootkits inadvertently opened up security holes for Windows users that could have been exploited by worms and viruses. Most rootkits are plainly malicious, however, and shouldn't be anywhere near Windows computers.

Rootkit removal and detection
OK, so let us agree that Windows rootkits are hugely problematical, the reason being that an IT administrator -- or anyone else, for that matter -- cannot see them. They install by stealth and remain stealthed. A well-written rootkit can hide files and folders, system processes, registry entries, services, network connections and even pages of memory.

Rootkits themselves, of course, are not dangerous; it is the malware that they hide that does the damage. But the nature of rootkits is such that they can prevent detection of that malicious application. Even the most stringent security policies are useless against this kind of malware.

Think of it like this: Antivirus cannot protect against what it cannot see. Therefore it is important to ensure that security software can prevent rootkits from installing in the first place (or detect and remove them if already installed).

Most heavyweight commercial Windows antivirus products now come prepared to handle rootkits. The most effective will employ behavioural blocking techniques to watch for processes that are known to manipulate other processes, an

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Tech tips A review of Nmap scan options and timing templates How to test a firewall with Nmap Rootkit Hunter demo: Detect and remove Linux rootkits Using Nmap to scan for open ports, updated servers and more How to perform Nmap scans and port checks Installation tips before beginning Nmap port scans NAC and endpoint security: The hard questions Securing Windows services to prevent hacker attacks Windows security: Remote Desktop, hosts file and keyboard lock down How to prevent SQL Server and Internet Explorer hack attacks Data Protection Solutions How to enforce an enterprise data leak prevention policy Companies underestimate Web 2.0, social networking threat, says survey RSA council addresses growing security risks in the cloud Attackers use ATM malware to steal track data, PINs CSA, Jericho Forum unite on cloud computing security message How to create a data classification policy Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert Organizations struggle with data leakage prevention, rights management Simple information security mistakes can cause data loss, says expert Microsoft warns of IIS zero-day vulnerability Threat Management Web application firewall's value depends on what the effort you put in Firewall rule management best practices Cybercrime attacks, IT outsourcing, mobile malware top ISF threat list Buying botnets: Underground network marks ominous 'milestone' Gartner sees better days ahead for security budgets How to secure the Border Gateway Protocol Coping with top security in a world of deperimeterization Computer misuse cases: Get there before the bad guys IT overhaul results in cheaper, better endpoint security management 2009 Royal Holloway University of London MSc thesis series

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

d stop them dead.

Windows encryption: Rootkits defeated
Some versions of Windows, such as Vista for example, come with built-in BitLocker Drive Encryption. That is the perfect tool to help mitigate the risks that rootkits present. BitLocker Drive Encryption offers sophisticated and effective rootkit prevention measures by verifying all the key data structures during the boot process. BitLocker Drive Encryption will abort if it spots anything untowards in the system tampering department.

For those without Vista, don't panic, as all is not lost. All Windows users can enable boot logging via msconfig.exe to create a list of drivers loaded into %SYSTEMROOT% that can be compared against what a booted system thinks is there. Driver discrepancies can be caused by kernel-mode rootkits installing a device driver, which hides everything after booting. Better still, follow best practice and do not allow everyone and their aunt to have administrator rights, as this decreases the opportunity for malware to install rootkits in the first place.

Windows BitLocker + TPM = Rootkit buster
Use BitLocker Drive Encryption for Windows Server and Vista where available. If at all possible, use BitLocker with a Trusted Platform Module (TPM) and throw in two-factor authorisation as well. This presents the double-whammy of validating every boot process component, ensuring it's secure before the volume is decrypted, and adding the assurance of a USB token into the mix for good measure. A TPM is used by BitLocker to store the root encryption key, hardening pre-boot security by a huge margin over hard drive-stored encryption keys, which are far more vulnerable to compromise.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.