Rootkit means rebuild

So I was skimming Slashdot the other day and found this gem: Seems a program manager in Microsoft's Security Solutions Center came out and said that recovering from the newest breed of malware may be impossible. You know, time and again, I've asked those Redmond folks to be upfront and honest, and now here's one doing just that, and I'm still nauseated.

The gentleman was referring to the new spyware darlings, namely rootkits. You know, the things recently made so popular by the graces of visionary companies such as Sony. Thank you so much -- I'm boycotting the PS3 just for that (if it ever sees the light of day). These infestations don't hide in a piece of the PST file or duck into the bowels of IE. They dig just a bit deeper and hide themselves right in the OS kernel -- hence the "root" moniker.

For some of the more popularly known, and thus unsuccessful, rootkits, Microsoft and other companies have come up with specific removal tools, although sometimes they, too, have nasty side effects because of how deep the infection has managed to burrow. Unfortunately, the unknown rootkit infections far outnumber the known ones, so waiting for a removal tool for your particular kernel malaise may be an exercise in futility.

So Microsoft offers the next logical solution: Wipe the OS and start over. Yeah, made me see red for a minute, too; but after thinking about it, I'm only seeing let's say pink. The tools to automate an OS rebuild are neither new nor difficult to come by. Altiris, CA, IBM, LANDesk, SMS, and a host of other companies provide desktop management platforms with tools that will save specific OS and application images on the network. They can push those images out to specific groups of clients or even a single machine. After that, you just reload that user's personal data off the network and he or she is good to go.

Only thing is, even with the right tools, that's much easier said than done. To make this effective, you must provide for client-side network backup, at the very least, daily and more likely several times during the day. That creates overhead for the client and is a strain on the network. Additionally, even backup solutions with open file managers work best if you target them at only a portion of the client disk -- and that means training your users to make sure all data is saved in those target folders only; not, for example, on their desktops. Not always easy.

Another way might be to provide for personal backup at every client station, I suppose. Maxtor OneTouch boxes only go for US$200 and would allow each station to have its own backup device right there. But that still requires user intervention -- which is never a good idea. Also, as Bob Garza has pointed out about the Seagate Mirra (a networkable OneTouch competitor), keeping these solutions running in constant backup mode tends to slow client performance to a point of severe frustration -- like with tufts of hair floating around the office.

Making such a solution work will mean purchasing new software; gathering all the relevant OS images and organizing them somehow (and you know that's going to take some meeting staff-hours); writing a policy on how users can save desktop data so it can be safely backed up to the network; testing network performance to make sure this works without crippling everyone; and then making sure all that user and OS data is kept somewhere that no rootkit infection can ever reach. Not a small order.

That's why I'm still seeing pink. I understand that kernel infections are difficult to remove, but why is it apparently so easy to get to the Windows kernel? And also apparently so easy to defeat the XP rollback feature that should have been protecting us from just such a problem? It's not rocket science to add something like a checksum routine that should be able to detect if anything in the kernel gets modified, so why is the responsibility for the safety of these files falling on us?

Perhaps Microsoft's program manager was speaking in the short term, and the company is working on just such safety measures now. I hope so, although I haven't heard anything to that effect. If not, then I see it as another block to Vista deployment. After all, if I have to put all this OS imaging and dynamic backup work in now, I'm not going to want to throw all that out in just a few months just to move to the next rootkit haven. I'm going to make that last as long as I can. Vista'll just have to wait.