Rootkits Can Be Detected And Eradicated
A set of software tools meant to hide running processes; files or system data is referred to as 'rootkit'. rootkits are used to make unauthorized access to a system without being detected.
Detecting and removing rootkits can be frustrating. The malicious code increasingly used to conceal malware or adware makes identification and eradication of rootkits either quite simple or almost impossible, depending on the security agency addressing the issue.
This contrasting opinion puzzles 'corporate security managers' and 'systems administrators' who initiate the task of defending against rootkits placed somewhere on desktops, servers and databases. Promising software products that can detect and remove rootkits are few in the market, however, vendors have resolved to achieve the required results.
The basic problem with rootkit detection is related to the fact that the operating system currently running is not dependable. This means that attempts to request the list of all running programs or the list of files in a directory may not behave in the desired way as thought by original designers. Some prevailing rootkit detectors that run on live systems work just because rootkits so far developed cannot conceal themselves completely. They are still not full proof.
Even the far sighted security firms that provide rootkit detection and eradication tools find it somewhat tricky wiping the treacherous code that can install itself onto the operating system to secretly keep backdoor, worms, or processes running.
A rootkit can also be detected by doing a file-by-file comparison while running an uninfected copy of the test system. In this technique the infected system is treated just as data where the rootkit cannot play itself. This enables easy discovery of the rootkit and its payload. However, this situation rarely occurs as virtually no one keeps a reference copy of his system. Moreover, systems constantly have legitimate changes that make simple file comparison difficult.
The real-life rootkit detectors have to function from within the potentially infected system. One such detector is 'BlackLight'. The product detects all running rootkits by making a comparison of the list from the operating system and the actual list from the disk. Since some rootkits add this particular program to a list of files it exposes to and as the differences between the two listings is removed, the detector does not report them.
The most disappointing part is, whenever an existing product is updated or a new product is designed the creators of rootkits also update their malware and evade detection. Consequently the vicious race goes on leaving the systems administrators and computer viruses vulnerable.
Rootkits interfering with the operating system themselves require full Administrator rights to get installed. Thus if Windows are run from an account with lesser privileges, the infection can be avoided.
Related article: Rootkits Low; Bot & Trojan Infection High
» SPAMfighter News - 31-08-2006