128. Dealing with rootkits
By Andrew D. Wright
By now nearly everyone has heard the message that they need to protect
their computer from the bad guys.
If you're running a Windows computer, this takes the form of running
Windows Update on the second Tuesday of the month to get the latest
updates to the Windows operating system, or setting up the automatic
updates option to download these critical updates.
You should also have a good anti-virus program and make sure that it has
today's virus definitions.
There are also several good free anti-spyware programs to help keep
malware off your computer, malware being programs which may look innocent
but which do bad things you may not necessarily be aware of.
Basically the name of the game is for criminal networks to gain access to
your computer and use it to do bad things. It has become big business:
millions of home and small business computers have been taken over by the
bad guys and these computers have become slaves of the botnets.
These slave computers live secret other lives, sending out their user's
passwords and confidential information to crime networks on the other side
of the world. Your online banking session may be encrypted and safe from
prying eyes but if your computer is on a botnet your keystrokes can be
read and sent off to strangers. Your computer might be filling up with
loads of new Viagra ads or fake Rolex ads or cheap pharmaceuticals ads and
spewing them out by the millions to beseiged mail servers all over the
internet.
Back in the good old days, the main way to get at your computer was with a
virus. This still happens but it is a lot harder for the bad guys than it
used to be - most mail servers scan for viruses before the mail hits your
mailbox and many users do use anti-virus products. Sending infected
attached files in email is still done but many users simply stopped
opening attachments.
Ever resourceful, the bad guys started putting links in their mail. Click
here for a card from a friend. Click here for free money. Click here for
naked pictures of the starlet of the week. When you click here, you get
some malware. If you are the careful sort and virus and spyware scan any
new files you download before opening them, you can stop most if not all
of these attempts at taking over your computer.
Suppose you let one through though. These days the bad guys don't want
their precious payload detected out in the open on your hard drive, they
put too much work in getting it there, so they hide it with rootkits.
A rootkit is a program that runs when the computer starts up and uses its
early start up position to hide itself from the rest of the operating
system. It tells the host operating system everything is fine and uses
various tricks to make sure that nothing can find it.
Your anti-virus program will pass it by, not knowing it is there. You
won't be able to find its files on your hard drive and your spyware
program won't know anything is amiss. The rootkit is the ghost in your
machine.
The thing is, nothing is perfect and there are ways to find rootkits.
Several anti-virus and anti-malware companies have made available free
anti-rootkit software you can use to find rootkits and remove them.
Chebucto Community Net recommended software
(includes anti-virus and anti-spyware programs with free versions):
http://www.chebucto.ns.ca/news/#software
Sophos anti-rootkit software (free):
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
AVG anti-rootkit software (free): [NO LONGER
AVAILABLE]
http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5
F-Secure BlackLight rootkit eliminator (free - link on page):
http://www.f-secure.com/security_center/
Avira anti-rootkit tool (free - link on page):
http://www.avira.de/en/support/support_downloads.html
Microsoft Sysinternals Rootkit Revealer (free):
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
The Mousepad runs every two weeks. It's a service of Chebucto Community
Net, a community-owned Internet provider. If you have a question about
computing, email mousepad@chebucto.ns.ca or
click here. If we use your question
in a column, we'll send you a free mousepad.
Originally published 21 March 2008
