Worse than malware
July 21, 2010 3:03 PM Subscribe
How to protect against rootkits? Our computer was down with what we thought was malware but turned out to be a rootkit from China according to our computer guy (which would explain why we weren't able to take care of problems ourselves.) Any of y'all have any suggestions to keep this kind of stuff off our computers in future?
Best answer: Don't run your computer as an administrator. If you do this one thing, you will never be afflicted by a rootkit.
If you're using XP, you'd be well-served to upgrade to Windows 7, which by default limits the usage of administrative rights. But even there, you're better off using a non-admin user account.
posted by me & my monkey at 3:28 PM on July 21, 2010
If you're using XP, you'd be well-served to upgrade to Windows 7, which by default limits the usage of administrative rights. But even there, you're better off using a non-admin user account.
posted by me & my monkey at 3:28 PM on July 21, 2010
Best answer: You mean, aside from the obvious (don't install anything that you don't know has a credible source; don't share data sources with known targets of infection; checking and using digital signatures on programs you install from the internet; etc.)?
Rootkits are nasty things because they corrupt the very tools you use when you go looking for them. And antivirus programs, especially the more common ones, can't be trusted to protect you, because they can be tricked as well.
Your only real way to know you're safe from rootkits is to maintain a clean bootable version of your operating system that you can use -- probably in safe mode -- to test the drives you think might be infected.
And also, keep good, regular backups of your system so that if you do get tainted, you can fall back to a clean version.
posted by crunchland at 3:28 PM on July 21, 2010
Rootkits are nasty things because they corrupt the very tools you use when you go looking for them. And antivirus programs, especially the more common ones, can't be trusted to protect you, because they can be tricked as well.
Your only real way to know you're safe from rootkits is to maintain a clean bootable version of your operating system that you can use -- probably in safe mode -- to test the drives you think might be infected.
And also, keep good, regular backups of your system so that if you do get tainted, you can fall back to a clean version.
posted by crunchland at 3:28 PM on July 21, 2010
Best answer: Don't run your computer as an administrator. If you do this one thing, you will never be afflicted by a rootkit.
This, this, a thousand times this.
posted by The Michael The at 3:30 PM on July 21, 2010
This, this, a thousand times this.
posted by The Michael The at 3:30 PM on July 21, 2010
Response by poster: Yep, we use xp. I am now in process of heavily suggesting the upgrade to 7. And I will have my hubs fix it so I run as a user not admin-altho he claims I will complain about it. I think I complain more when my computer goes blooie, so whatever.
Can't believe I never heard of a rootkit before now.
posted by St. Alia of the Bunnies at 3:51 PM on July 21, 2010
Can't believe I never heard of a rootkit before now.
posted by St. Alia of the Bunnies at 3:51 PM on July 21, 2010
If you have Adobe Acrobat Reader, you might want to turn off it's ability to execute Javascript. The only viruses I've gotten over the last few years have been via poisoned PDF files that are served through various affiliate ad networks that had somehow been hacked/compromised. You visit a web page, Firefox/IE loads the poisoned PDF file in the ad, the javascript code executes and you end up with a virus. I've been infected with TDSS twice in the last year via this vector, and that thing is one nasty piece of work.
posted by SweetJesus at 4:26 PM on July 21, 2010
posted by SweetJesus at 4:26 PM on July 21, 2010
I'm not going to pass up this opportunity to mention Ubuntu Linux. It is extremely easy to use, free, and runs as non-admin by default. I've used Ubuntu for the past 4 years, using the default network configuration, and have had absolutely no issues. (I do have a strong firewall at the entry to my network though!).
You can even download it and install it as a "progam" in Windows and try it out.
A lot of people will tell you that Linux is just for geeks. Well, my 10 year old daughter runs it, and she's no geek! It's not great for *everything* (there are a few things that Windows will do better), however a lot of the things it is not great at (ActiveX for one) are the very things that make Windows insecure.
Download it, try it, you just might like it. If so, you can install it full-time. If not, you can always remove it. And if you do remove it, at the very least run Windows as a non-admin (as suggested above), and install Firefox and use it instead of Internet Explorer.
posted by humpy at 4:29 PM on July 21, 2010 [1 favorite]
You can even download it and install it as a "progam" in Windows and try it out.
A lot of people will tell you that Linux is just for geeks. Well, my 10 year old daughter runs it, and she's no geek! It's not great for *everything* (there are a few things that Windows will do better), however a lot of the things it is not great at (ActiveX for one) are the very things that make Windows insecure.
Download it, try it, you just might like it. If so, you can install it full-time. If not, you can always remove it. And if you do remove it, at the very least run Windows as a non-admin (as suggested above), and install Firefox and use it instead of Internet Explorer.
posted by humpy at 4:29 PM on July 21, 2010 [1 favorite]
Response by poster: Unfortunately we have to run Windows as my husband has to use that for real estate. But I have learned to love Google Chrome and use that for my own browsing. My husband is pretty smart when it comes to computers and believe me if there was any way around using Windows he'd have found a way.
I will ask him about Adobe-I have a feeling that's the reason we get hit by so much crap at work.
posted by St. Alia of the Bunnies at 4:33 PM on July 21, 2010
I will ask him about Adobe-I have a feeling that's the reason we get hit by so much crap at work.
posted by St. Alia of the Bunnies at 4:33 PM on July 21, 2010
Response by poster: I meant Internet Explorer is what hubby has to use. Yup, I am NOT the geek in the house.
posted by St. Alia of the Bunnies at 4:40 PM on July 21, 2010
posted by St. Alia of the Bunnies at 4:40 PM on July 21, 2010
Unfortunately, running as a non-administrator is not guaranteed to protect you from rootkits, as there may be privilege-escalation attacks that can get administrator privileges even if the current user doesn't have them. Still heed that advice, but understand that it isn't bulletproof.
In general, try to limit the number of vectors, or ways malware can get onto your system. Some common programs have numerous security flaws that are constantly being discovered, exploited, and eventually patched. Adobe Acrobat Reader is a huge one these days, so I've disabled the Acrobat plugin in my browser. If I want to read a PDF online, I have to download it and open it, sure, but it means my browser won't automatically open PDFs served up in ads or invisible iframes or whatever else. I made that change after being infected by malware through some unseen in-browser PDF on some random website once.
Adobe Flash is another common vector. I use Flashblock to prevent Flash from automatically loading, but still giving me the option to display it. You can whitelist sites you visit often and trust, like Youtube. There are flashblock extensions for Firefox, Chrome, and likely most other browsers as well. Side-benefit: no obnoxious animated ads ever again.
Look through the plugins running in your browser (Firefox has a tab under Tools>Add-ons, for example). Any one of those could automatically launch from any website, and any one of those could have an exploitable flaw in it. Limit the number of possible vectors by disabling any of those that you do not regularly use. In my browser, the following are all installed (not by my choice) and disabled: Google Gadget Plugin, Google Update, Microsoft DRM, Picasa, Windows Media Player Plug-In, Windows Presentation Foundation. I'll keep Google's programs updated myself, and I have no use for any of the others at all. If any have flaws that are or will be exploited, they won't affect me. If your browser of choice doesn't let you disable them easily, you may have to hunt around to figure out how to uninstall or disable them manually.
If you can't secure Internet Explorer as well as the other browsers, consider using it only for the real estate sites that require it. Nobody says you have to use it for everything else.
No matter what you do, make sure that Windows Update is getting all of the latest patches installed.
One thing to recognize is that these days (this wasn't the case several years ago), Windows itself seems to be secure enough that it has no remotely-exploitable flaws. That is, nobody can "reach out and touch you" while your computer is just sitting there doing nothing. Back in the day, just connecting a Windows machine to the internet and letting it sit there could lead to infection in a few minutes, but this is no longer the case with XP SP3 and Windows 7, as far as I'm aware. All of the exploits I've seen recently require you to bring data into your computer somehow. Any time you visit a web page or plug in a USB key, this is what you're doing, but the more you know about these channels over which you do have some control, the smarter you can be about protecting yourself.
posted by whatnotever at 5:32 PM on July 21, 2010 [3 favorites]
In general, try to limit the number of vectors, or ways malware can get onto your system. Some common programs have numerous security flaws that are constantly being discovered, exploited, and eventually patched. Adobe Acrobat Reader is a huge one these days, so I've disabled the Acrobat plugin in my browser. If I want to read a PDF online, I have to download it and open it, sure, but it means my browser won't automatically open PDFs served up in ads or invisible iframes or whatever else. I made that change after being infected by malware through some unseen in-browser PDF on some random website once.
Adobe Flash is another common vector. I use Flashblock to prevent Flash from automatically loading, but still giving me the option to display it. You can whitelist sites you visit often and trust, like Youtube. There are flashblock extensions for Firefox, Chrome, and likely most other browsers as well. Side-benefit: no obnoxious animated ads ever again.
Look through the plugins running in your browser (Firefox has a tab under Tools>Add-ons, for example). Any one of those could automatically launch from any website, and any one of those could have an exploitable flaw in it. Limit the number of possible vectors by disabling any of those that you do not regularly use. In my browser, the following are all installed (not by my choice) and disabled: Google Gadget Plugin, Google Update, Microsoft DRM, Picasa, Windows Media Player Plug-In, Windows Presentation Foundation. I'll keep Google's programs updated myself, and I have no use for any of the others at all. If any have flaws that are or will be exploited, they won't affect me. If your browser of choice doesn't let you disable them easily, you may have to hunt around to figure out how to uninstall or disable them manually.
If you can't secure Internet Explorer as well as the other browsers, consider using it only for the real estate sites that require it. Nobody says you have to use it for everything else.
No matter what you do, make sure that Windows Update is getting all of the latest patches installed.
One thing to recognize is that these days (this wasn't the case several years ago), Windows itself seems to be secure enough that it has no remotely-exploitable flaws. That is, nobody can "reach out and touch you" while your computer is just sitting there doing nothing. Back in the day, just connecting a Windows machine to the internet and letting it sit there could lead to infection in a few minutes, but this is no longer the case with XP SP3 and Windows 7, as far as I'm aware. All of the exploits I've seen recently require you to bring data into your computer somehow. Any time you visit a web page or plug in a USB key, this is what you're doing, but the more you know about these channels over which you do have some control, the smarter you can be about protecting yourself.
posted by whatnotever at 5:32 PM on July 21, 2010 [3 favorites]
Don't run your computer as an administrator. If you do this one thing, you will never be afflicted by a rootkit.
The whole point of a rootkit is to gain privileges from an unprivileged account by exploiting an OS or hardware vulnerability.
If you're running as administrator, the hacker doesn't need a rootkit.
But yeah, running as administrator is a bad idea. The best thing you can do is keep your OS patched and have up-to-date anti-malware software. An additional step is to do your web browsing, torrenting, etc. in a virtual machine, thus isolating the infection when it happens.
posted by qxntpqbbbqxl at 5:46 PM on July 21, 2010
The whole point of a rootkit is to gain privileges from an unprivileged account by exploiting an OS or hardware vulnerability.
If you're running as administrator, the hacker doesn't need a rootkit.
But yeah, running as administrator is a bad idea. The best thing you can do is keep your OS patched and have up-to-date anti-malware software. An additional step is to do your web browsing, torrenting, etc. in a virtual machine, thus isolating the infection when it happens.
posted by qxntpqbbbqxl at 5:46 PM on July 21, 2010
>running as administrator is a bad idea
I have heard this before: Simply set up and run under a non-admin account and you are much safer. Except that you cannot install new programs or update current programs while non-admin. And some programs do not even allow user files to be saved after modification while open as non-admin.
It is not the ultimate answer, unfortunately.
posted by megatherium at 8:05 PM on July 21, 2010
I have heard this before: Simply set up and run under a non-admin account and you are much safer. Except that you cannot install new programs or update current programs while non-admin. And some programs do not even allow user files to be saved after modification while open as non-admin.
It is not the ultimate answer, unfortunately.
posted by megatherium at 8:05 PM on July 21, 2010
Try installing Microsoft Security Essentials. I swear, it made my computer faster.
I have also had good success with Symantec Corporate Antivirus. I had to pare down the settings a bit, but I've never gotten a virus with it.
posted by gjc at 3:24 AM on July 22, 2010
I have also had good success with Symantec Corporate Antivirus. I had to pare down the settings a bit, but I've never gotten a virus with it.
posted by gjc at 3:24 AM on July 22, 2010
One side note, make sure that you remove all personal documents off the infected computer (don't forget music, videos, pictures, mail folders etc.) onto an external hard-drive (or another computer).
Once you've done that, do a full installation of Windows (that is, don't do a repair and make sure you reformat the drive). Although it's possible to remove a rootkit from your computer, the only way to be completely sure it is gone is to re-format and start again.
Also, in previous posts I've recommended a program called DoubleDriver to back up your existing drivers. I would still recommend using that and keeping those files for safe keeping, but would strongly advise re-downloading the drivers from the manufacturers website.
Only resort to using your backed up drivers for something that you are totally unable to find - as they too may be infected.
Of course, if you're on XP and take the (sensible) advise of getting Windows 7 then none of your drivers will work anyway and you'll need to re-download them.
posted by mr_silver at 4:22 AM on July 22, 2010
Once you've done that, do a full installation of Windows (that is, don't do a repair and make sure you reformat the drive). Although it's possible to remove a rootkit from your computer, the only way to be completely sure it is gone is to re-format and start again.
Also, in previous posts I've recommended a program called DoubleDriver to back up your existing drivers. I would still recommend using that and keeping those files for safe keeping, but would strongly advise re-downloading the drivers from the manufacturers website.
Only resort to using your backed up drivers for something that you are totally unable to find - as they too may be infected.
Of course, if you're on XP and take the (sensible) advise of getting Windows 7 then none of your drivers will work anyway and you'll need to re-download them.
posted by mr_silver at 4:22 AM on July 22, 2010
Not just reformat, but zero out the drive to get any crud that could be hidden in the boot sector.
posted by gjc at 6:51 AM on July 22, 2010
posted by gjc at 6:51 AM on July 22, 2010
Response by poster: Thanks all! Will be showing all this to Ralph.
posted by St. Alia of the Bunnies at 3:02 PM on July 22, 2010
posted by St. Alia of the Bunnies at 3:02 PM on July 22, 2010
Unfortunately, running as a non-administrator is not guaranteed to protect you from rootkits, as there may be privilege-escalation attacks that can get administrator privileges even if the current user doesn't have them.
This is one of those things where the likelihood of them actually happening is so close to zero that I believe it can safely be discounted. Unless an attack is specifically directed against a particular person. Automated attacks against Windows assume that the user in question has administrative rights.
The whole point of a rootkit is to gain privileges from an unprivileged account by exploiting an OS or hardware vulnerability. If you're running as administrator, the hacker doesn't need a rootkit.
That's not really entirely accurate. Historically, rootkits have been designed to be unwittingly installed by administrators, rather than through privilege escalation.
Except that you cannot install new programs or update current programs while non-admin.
Right. That's the point. If you can't install programs, you can't install malicious programs. So, when you need to install specific programs, you temporarily increase your account privileges through the administrator account, or use a separate administrator account entirely.
And some programs do not even allow user files to be saved after modification while open as non-admin.
Those programs shouldn't be used, frankly. If you need to use a program like that, you should probably virtualize it, or as a last resort run that specific program with administrative rights.
posted by me & my monkey at 7:49 AM on July 23, 2010
This is one of those things where the likelihood of them actually happening is so close to zero that I believe it can safely be discounted. Unless an attack is specifically directed against a particular person. Automated attacks against Windows assume that the user in question has administrative rights.
The whole point of a rootkit is to gain privileges from an unprivileged account by exploiting an OS or hardware vulnerability. If you're running as administrator, the hacker doesn't need a rootkit.
That's not really entirely accurate. Historically, rootkits have been designed to be unwittingly installed by administrators, rather than through privilege escalation.
Except that you cannot install new programs or update current programs while non-admin.
Right. That's the point. If you can't install programs, you can't install malicious programs. So, when you need to install specific programs, you temporarily increase your account privileges through the administrator account, or use a separate administrator account entirely.
And some programs do not even allow user files to be saved after modification while open as non-admin.
Those programs shouldn't be used, frankly. If you need to use a program like that, you should probably virtualize it, or as a last resort run that specific program with administrative rights.
posted by me & my monkey at 7:49 AM on July 23, 2010
This thread is closed to new comments.
posted by St. Alia of the Bunnies at 3:10 PM on July 21, 2010