A Reminder about Rootkits

 

Rootkit stories show up in the mainstream media on a regular basis these days. While these stories raise public awareness about what the bad guys are doing, they usually leave readers wondering what they can do to protect themselves from silent threats infecting their computers at home and in the office. 
Broadly defined, a rootkit is any software that acquires and maintains privileged access to the operating system (OS) while hiding its presence by subverting normal OS behavior. A rootkit typically has three goals: 
 
  1. A rootkit wants to be able to run without restriction on a target computer. 
  2. It wants to elude being detected by the computer or an installed security product. 
  3. It wants to deliver its payload, such as stealing passwords or network bandwidth, or installing other malicious software.
 
So what can you do (other than re-build your computer every time) if you suspect it is infected? Even if you do not suspect anything is wrong with your computer (since that is what rootkit authors want), how can you be certain that some malicious code is not hiding there? When news stories cover these threats, they usually say that users should make sure that they are running security software and that it is up to date. But if a rootkit is already running and hiding from your security software, how does keeping it up to date help?
 
Symantec security products such as Norton Internet Security and Symantec Endpoint Protection include a number of technologies that are designed to prevent, detect, and remove rootkits without being fooled by the tricks rootkits use to remain hidden. Using a variety of technologies working individually and together, these products provide top-quality protection against rootkits. The components work together as a protection stack by monitoring a variety of inputs and behaviors on a protected system and sharing that information in order to get a complete picture of a potential attack, while still maintaining a low false-positive rate.
 
For a more in depth look at rootkits and how to protect yourself against such threats, please see the Symantec Security Response whitepaper on Rootkits.