Rootkit means rebuild

So I was skimming Slashdot the other day and found this gem: Seems a program manager in Microsoft's Security Solutions Center came out and said that recovering from the newest breed of malware may be impossible. You know, time and again, I've asked those Redmond folks to be upfront and honest, and now here's one doing just that, and I'm still nauseated.

The gentleman was referring to the new spyware darlings, namely rootkits. You know, the things recently made so popular by the graces of visionary companies such as Sony. Thank you so much -- I'm boycotting the PS3 just for that (if it ever sees the light of day). These infestations don't hide in a piece of the PST file or duck into the bowels of IE. They dig just a bit deeper and hide themselves right in the OS kernel -- hence the "root" moniker.

For some of the more popularly known, and thus unsuccessful, rootkits, Microsoft and other companies have come up with specific removal tools, although sometimes they, too, have nasty side effects because of how deep the infection has managed to burrow. Unfortunately, the unknown rootkit infections far outnumber the known ones, so waiting for a removal tool for your particular kernel malaise may be an exercise in futility.

So Microsoft offers the next logical solution: Wipe the OS and start over. Yeah, made me see red for a minute, too; but after thinking about it, I'm only seeing let's say pink. The tools to automate an OS rebuild are neither new nor difficult to come by. Altiris, CA, IBM, LANDesk, SMS, and a host of other companies provide desktop management platforms with tools that will save specific OS and application images on the network. They can push those images out to specific groups of clients or even a single machine. After that, you just reload that user's personal data off the network and he or she is good to go.

Only thing is, even with the right tools, that's much easier said than done. To make this effective, you must provide for client-side network backup, at the very least, daily and more likely several times during the day. That creates overhead for the client and is a strain on the network. Additionally, even backup solutions with open file managers work best if you target them at only a portion of the client disk -- and that means training your users to make sure all data is saved in those target folders only; not, for example, on their desktops. Not always easy.

Another way might be to provide for personal backup at every client station, I suppose. Maxtor OneTouch boxes only go for US$200 and would allow each station to have its own backup device right there. But that still requires user intervention -- which is never a good idea. Also, as Bob Garza has pointed out about the Seagate Mirra (a networkable OneTouch competitor), keeping these solutions running in constant backup mode tends to slow client performance to a point of severe frustration -- like with tufts of hair floating around the office.

Making such a solution work will mean purchasing new software; gathering all the relevant OS images and organizing them somehow (and you know that's going to take some meeting staff-hours); writing a policy on how users can save desktop data so it can be safely backed up to the network; testing network performance to make sure this works without crippling everyone; and then making sure all that user and OS data is kept somewhere that no rootkit infection can ever reach. Not a small order.

That's why I'm still seeing pink. I understand that kernel infections are difficult to remove, but why is it apparently so easy to get to the Windows kernel? And also apparently so easy to defeat the XP rollback feature that should have been protecting us from just such a problem? It's not rocket science to add something like a checksum routine that should be able to detect if anything in the kernel gets modified, so why is the responsibility for the safety of these files falling on us?

Perhaps Microsoft's program manager was speaking in the short term, and the company is working on just such safety measures now. I hope so, although I haven't heard anything to that effect. If not, then I see it as another block to Vista deployment. After all, if I have to put all this OS imaging and dynamic backup work in now, I'm not going to want to throw all that out in just a few months just to move to the next rootkit haven. I'm going to make that last as long as I can. Vista'll just have to wait.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Oliver Rist

InfoWorld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?