Step-by-Step Guide: Finding and removing a rootkit

It's difficult -- but not impossible -- to be totally sure that your system is 100% rootkit free, says Windows security expert Kevin Beaver. In this step-by-step guide, Beaver shows you how to strengthen your Windows systems against the rootkit threat.

In a nutshell, rootkits are nasty programs that can load on boot or temporarily live in memory and run in user mode (aka ring 3 for you processor gurus) and kernel mode (aka protected mode or ring 0).

Rootkits became pervasive in the Unix world, but the technology and its threat are slowly and surely bleeding into the Windows environment. They manipulate Windows by taking over the operating system -- even inside a virtual machine -- with the goal of hiding malware and controlling any or all aspects of the system.

Rootkits are relatively easy to install on victim hosts. To upload a rootkit, a determined attacker can do everything from exploit a Windows vulnerability to crack a password or even obtain physical system access. They can even con users into running an executable file in an email attachment or via a hyperlink distributed via email or instant messaging. Once they're in place, as you're likely to find out, rootkits aren't so easy to find or get rid of.

The rootkit threat is not as widespread as viruses and spyware. Given this fact, and the lack of a truly effective rootkit prevention solution, handling rootkits is largely a reactive process.

Here are various techniques and tools for finding rootkits and rootkit removal from your systems if you suspect an infection:

Finding and removing a rootkit

 Home: Introduction
 Step 1: Is there a problem
 Step 2: Choose the right scanning tool
 Step 3: Clean up the mess
 Step 4: Bulletproof your efforts
Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including Hacking For Dummies, Hacking Wireless Networks For Dummies, Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ Copyright 2006 TechTarget

Dig Deeper on Enterprise desktop management

Virtual Desktop