How to detect and remove rootkits with Windows encryption

Rootkits, derived from the most powerful of Unix system accounts known as 'root', have become a widespread concern for Windows users.

Some rootkits have been installed without obvious malice, such as the infamous Sony BMG copy-prevention incident, which installed rootkits from certain music CDs a couple years ago. These rootkits inadvertently opened up security holes for Windows users that could have been exploited by worms and viruses. Most rootkits are plainly malicious, however, and shouldn't be anywhere near Windows computers.

Rootkit removal and detection
OK, so let us agree that Windows rootkits are hugely problematical, the reason being that an IT administrator -- or anyone else, for that matter -- cannot see them. They install by stealth and remain stealthed. A well-written rootkit can hide files and folders, syst...

RELATED CONTENT Tech tips Code complexity analysis: How to keep it simple How to use Windows XP Mode in Windows 7 Understand role-based access control in Microsoft Exchange 2010 Avoid common Web application firewall configuration errors SQL injection detection tools and prevention strategies Cross-site scripting explained: How to prevent attacks How to automate and apply Microsoft Windows 7 AppLocker rules How to use Microsoft Windows 7 AppLocker for whitelisting applications Should you disable IE ESC, or manage it in Windows servers? Scanning with N-Stalker offers basic Web application security assessment Data Protection Solutions and Strategy Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Annual security reports offer some hope Creating and enforcing a clear-desk policy Safend expands data leakage prevention product to plug more gaps Threat and Vulnerability Management Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7 What to do with network penetration test results How to set your baseline with host integrity monitoring software A closer look at Internet Explorer 8 security features Security architects fear savvy botnet attacks, IPv6 security issues

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

em processes, registry entries, services, network connections and even pages of memory.

Rootkits themselves, of course, are not dangerous; it is the malware that they hide that does the damage. But the nature of rootkits is such that they can prevent detection of that malicious application. Even the most stringent security policies are useless against this kind of malware.

Think of it like this: Antivirus cannot protect against what it cannot see. Therefore it is important to ensure that security software can prevent rootkits from installing in the first place (or detect and remove them if already installed).

Most heavyweight commercial Windows antivirus products now come prepared to handle rootkits. The most effective will employ behavioural blocking techniques to watch for processes that are known to manipulate other processes, and stop them dead.

Windows encryption: Rootkits defeated
Some versions of Windows, such as Vista for example, come with built-in BitLocker Drive Encryption. That is the perfect tool to help mitigate the risks that rootkits present. BitLocker Drive Encryption offers sophisticated and effective rootkit prevention measures by verifying all the key data structures during the boot process. BitLocker Drive Encryption will abort if it spots anything untowards in the system tampering department.

For those without Vista, don't panic, as all is not lost. All Windows users can enable boot logging via msconfig.exe to create a list of drivers loaded into %SYSTEMROOT% that can be compared against what a booted system thinks is there. Driver discrepancies can be caused by kernel-mode rootkits installing a device driver, which hides everything after booting. Better still, follow best practice and do not allow everyone and their aunt to have administrator rights, as this decreases the opportunity for malware to install rootkits in the first place.

Windows BitLocker + TPM = Rootkit buster
Use BitLocker Drive Encryption for Windows Server and Vista where available. If at all possible, use BitLocker with a Trusted Platform Module (TPM) and throw in two-factor authorisation as well. This presents the double-whammy of validating every boot process component, ensuring it's secure before the volume is decrypted, and adding the assurance of a USB token into the mix for good measure. A TPM is used by BitLocker to store the root encryption key, hardening pre-boot security by a huge margin over hard drive-stored encryption keys, which are far more vulnerable to compromise.

About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.

Rate this Tip To rate tips, you must be a member of SearchSecurity.co.UK. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.