Experts generally agree that it is difficult to guesstimate how many computers are compromised by malicious rootkits, but numbers appear to be climbing if the growing list of known rootkits is any indication. Infections are believed highest in the U.S., with as many as one computer out of every four infected, according to at least one estimate. Unfortunately, it isn’t easy to detect a rootkit as one of its main functions is to remain hidden. Software packages called “anti-rootkits” are available to scan for rootkits, but prevention is strongly recommended.
In some cases there can be telltale signs that a rootkit is present on a system. For example, a user might be doing word processing or simple Internet surfing when he or she notices the computer is processing data exceedingly slow. Upon checking the system it may become clear the computer processing unit (CPU) is low on resources. This could be because the CPU is doing background work for a rootkit. A poorly written rootkit might also cause a computer to crash repeatedly, though these problems could also be attributable to other causes.
To be safe it’s best to check your computer for rootkits weekly, then backup the clean system to safeguard against future problems. Some anti-rootkit packages offer to remove certain types of rootkits, but it is generally recommended that if a rootkit is found, the hard drive be reformatted and the system rebuilt. It is very difficult to be sure that a rootkit is completely removed, and in some cases removing a rootkit can leave “holes” in the system, rendering it unstable.
There are several types of rootkits and not all scanning programs look for all types of rootkits. “Signature-based” anti-rootkits look for known rootkits, which can be helpful if your system is infected with a known kit, but new rootkits are released into the wild every day. Other anti-rootkit programs look for rootkits in files, but not in the registry.
Anti-rootkit software from an untrusted source might actually be designed to install a rootkit rather than scan for one, making it wise to stick with programs released by well-known software companies that specialize in security software. A few popular anti-rootkit programs that fall into this category include AVG Anti-Rootkit, F-Secure’s BlackLight, Sophos Anti-Rootkit, and Panda’s Anti-Rootkit.
In April 2007 PC Magazine™ tested and reviewed several anti-rootkit programs for effectiveness. The Editor’s Choice went to Panda’s Anti-Rootkit, reported as delving deeper into the system than the other rootkit finders reviewed at the time. Panda Anti-Rootkit also found all planted rootkits in the test and like many other anti-rootkits, it’s free. Using more than one anti-rootkit program might also be prudent.
A sensible protocol to follow is to scan for rootkits weekly, then clone the hard disk or backup the system to an image located on a secondary drive. Using this strategy, if a rootkit should be found you needn’t rely on removal. A recent disk image allows the option of reformatting the infected drive then restoring the image to ensure a clean, stable system with little downtime.
To prevent downloading rootkits, avoid opening email that arrives from unknown sources, keep your operating system patched with the latest hotfixes, and run anti-virus and anti-spyware programs with current updates. To further minimize risk, use a firewall and don’t allow websites to install software unless you are sure the site can be trusted.