That said, recent attention paid to rootkits has resulted in a raft of discovery and removal tools, both free and host-based, including IceSword, RootkitRevealer, F-Secure's Blacklight, and Sophos Anti-Rootkit. Over time, these functions will be integrated into enterprise-grade anti-virus and host-based security solutions. In the meantime, however, most organizations remain unprepared -- all the more troubling, given that opportunism is pushing rootkit know-how deeper underground, out of the IT community spotlight.
In the past, innovations in the art of hiding rootkits was shared in newsgroups and posted to community Web sites. The financial upside of having rootkit knowledge, however, is changing that, MANDIANT's Butler says. Those who uncover new approaches may take their discovery to a security company as their calling card to obtain a job. More disturbing, however, is the amount of money malware authors are willing to pay for new techniques. And with both sides of the divide doling out cash for the latest innovations, rootkit development is clearly becoming a lucrative pursuit -- one that leaves most organizations in the lurch, unaware of what's coming.
To reduce the probability and impact of rootkit infection, organizations should take the following proactive steps:
1. Do not ignore the threat and do not rely entirely on deployed anti-virus or host security systems.
2. Develop and implement a plan to analyze the current state of all systems.
3. Establish proactive procedures for maintaining an expanding defense against rootkit installation attempts, including policies and end-user communication.
4. Create a plan to analyze any infections that occur.
Kevin Mandia, president and CEO of MANDIANT, notes two essential capabilities for discovering rootkits in the enterprise: "the ability -- tools and technology -- to detect the rootkit’s network traffic via network security monitoring; and the ability to perform a sophisticated host-based console review, [making sure you're] able to conclude that the host-based review did not identify the process that is generating the suspicious network traffic."
For organizations looking for added protection against rootkits, enlisting the assistance of security experts is a worthwhile idea. MANDIANT, for one, provides incident-response software and professional services, enabling organizations to tap experts when developing risk-mitigation strategies and when responding to incidents to determine what data was lost and how the attack entered and evolved.
Unfortunately, too many organizations will wait until they have lost data and have exposed themselves to great financial harm before taking steps. Don't be one of them.