Rootkit means rebuild

So I was skimming Slashdot the other day and found this gem: Seems a program manager in Microsoft's Security Solutions Center came out and said that recovering from the newest breed of malware may be impossible. You know, time and again, I've asked those Redmond folks to be upfront and honest, and now here's one doing just that, and I'm still nauseated.

The gentleman was referring to the new spyware darlings, namely rootkits. You know, the things recently made so popular by the graces of visionary companies such as Sony. Thank you so much -- I'm boycotting the PS3 just for that (if it ever sees the light of day). These infestations don't hide in a piece of the PST file or duck into the bowels of IE. They dig just a bit deeper and hide themselves right in the OS kernel -- hence the "root" moniker.

For some of the more popularly known, and thus unsuccessful, rootkits, Microsoft and other companies have come up with specific removal tools, although sometimes they, too, have nasty side effects because of how deep the infection has managed to burrow. Unfortunately, the unknown rootkit infections far outnumber the known ones, so waiting for a removal tool for your particular kernel malaise may be an exercise in futility.

So Microsoft offers the next logical solution: Wipe the OS and start over. Yeah, made me see red for a minute, too; but after thinking about it, I'm only seeing let's say pink. The tools to automate an OS rebuild are neither new nor difficult to come by. Altiris, CA, IBM, LANDesk, SMS, and a host of other companies provide desktop management platforms with tools that will save specific OS and application images on the network. They can push those images out to specific groups of clients or even a single machine. After that, you just reload that user's personal data off the network and he or she is good to go.

Only thing is, even with the right tools, that's much easier said than done. To make this effective, you must provide for client-side network backup, at the very least, daily and more likely several times during the day. That creates overhead for the client and is a strain on the network. Additionally, even backup solutions with open file managers work best if you target them at only a portion of the client disk -- and that means training your users to make sure all data is saved in those target folders only; not, for example, on their desktops. Not always easy.

Another way might be to provide for personal backup at every client station, I suppose. Maxtor OneTouch boxes only go for US$200 and would allow each station to have its own backup device right there. But that still requires user intervention -- which is never a good idea. Also, as Bob Garza has pointed out about the Seagate Mirra (a networkable OneTouch competitor), keeping these solutions running in constant backup mode tends to slow client performance to a point of severe frustration -- like with tufts of hair floating around the office.

Making such a solution work will mean purchasing new software; gathering all the relevant OS images and organizing them somehow (and you know that's going to take some meeting staff-hours); writing a policy on how users can save desktop data so it can be safely backed up to the network; testing network performance to make sure this works without crippling everyone; and then making sure all that user and OS data is kept somewhere that no rootkit infection can ever reach. Not a small order.

That's why I'm still seeing pink. I understand that kernel infections are difficult to remove, but why is it apparently so easy to get to the Windows kernel? And also apparently so easy to defeat the XP rollback feature that should have been protecting us from just such a problem? It's not rocket science to add something like a checksum routine that should be able to detect if anything in the kernel gets modified, so why is the responsibility for the safety of these files falling on us?

Perhaps Microsoft's program manager was speaking in the short term, and the company is working on just such safety measures now. I hope so, although I haven't heard anything to that effect. If not, then I see it as another block to Vista deployment. After all, if I have to put all this OS imaging and dynamic backup work in now, I'm not going to want to throw all that out in just a few months just to move to the next rootkit haven. I'm going to make that last as long as I can. Vista'll just have to wait.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Oliver Rist

Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?