What To Do If You’ve Been Rootkitted
Once you know you’ve got a rootkit, the question is what you should do about it. Your choices are somewhat limited. In spite of the difficulty of locating rootkits, detection is still the easy part of the problem. Getting rid of a modern rootkit, and making sure you’re rid of it, is much more difficult.
Some rootkit-detection tools (Blacklight, for example) will also remove some rootkits. However, because of the continuing arms race, it’s difficult to know that the rootkit removal has gotten everything. Worse, as the people who tried to remove the Sony rootkit discovered, trying to remove a rootkit can make the system unstable.
Rootkits vary enormously in how easy they are to remove. Some of them, especially earlier versions, are actually fairly easy to remove or disable. Some of the newer ones are much tougher to get rid of.
In fact, the conventional wisdom is that if you have a rootkit infestation, you should do a complete reinstall of the operating system and software. This involves saving the data files and then reformatting the disks before reinstalling the operating system and applications. This solution is drastic, but it’s a measure of how sophisticated rootkits have become and how hard it is to get rid of them.
Obviously, the best cure for a rootkit infestation is not to get one in the first place. There are several things you can do to keep from being rootkitted, most of which fall under the heading of basic security procedures:
- Keep your antivirus and anti-spyware software up to date.
- Use network and host-based firewalls.
- Keep your operating system patches current.
- Harden the operating system.
- Use strong authentication.
- Never use software from untrusted sources.
Rootkits are a difficult problem today, but the situation will probably improve rapidly as more vendors offer rootkit detection and removal products. One area that particularly needs work is to make anti-rootkit tools more like antivirus tools—that is, something the average Windows owner can use without specialized knowledge. Newer products, such as Blacklight, are already moving in that direction, and in the next 12 months we can expect to have more and better choices in the fight against rootkits.