Defending Against Rootkits

We've been hearing a lot about rootkits lately. What's the best defense against them, and what's the best detector?

The old adage "an ounce of protection is worth a pound of cure" is incredibly apropos when it comes to rootkits. Rootkit writers and rootkit detection writers are engaged in an arms race. As soon as someone writes a better rootkit detector, someone else updates a rootkit so that it's even better camouflaged.

To look for evidence of one or more rootkits, detectors make requests to the OS for information such as file system listings, current processes, and active DLLs. Rootkits are designed to intercept those requests and " sanitize" the information (i.e., remove any evidence of themselves) from the OS before returning the information to the requesting application. Right now, both parties are locked into reactive mode because they both need to know what the other is looking for. A rootkit can successfully hide only if it knows what questions the detector is asking. A detector can find a rootkit only if it knows what questions to ask the OS that won't be intercepted by the rootkit.

The fancy technology in rootkits is all in how they hide themselves once installed. Bad guys use the same methods to deploy rootkits as other malware, including buffer overflows and tricking users to run arbitrary code under their context. If users are an administrator of their computer, a rootkit will install itself effortlessly unless the antivirus software running locally is monitoring the infection vector and has been updated with the rootkit's signature.

Because rootkits use the same methods for deployment as other malware, you can use the same preventive techniques to guard against rootkits. In fact, if you and your users are already following these practices, you already have good protection against rootkits: