Re: How to Protect against Rootkits?

[Erin Carroll <amoeba () amoebazone com>]

Syed,

What works for me may not work for you but here are some suggestions for a 
home user (I assume this is a Window machine).

> What precautions etc can a home user (or anyone else) take to protect
> against Rootkits
> http://www.f-secure.com/weblog/archives/archive-032006.html#00000841?
> Is it a simple case of don't open any dodgy attachements, or is there
> anymore to it?
> Is there any decent virus detect/cleaners out there?
>
> How about Sony DRM style Rootkits that arrive from a "trusted source"?
>
> I just want some ideas and Best Practices to adhere to in this regard.

Aside from minimizing the chances of web-install drive-bys via IE holes by
using a relatively more secure browser like Mozilla/Firefox/opera. In
addition to being somewhat more secure by default, the alternative
browsers tend to have much more configurability and useful plugins.
Ad-block, privoxy, etc. I would highly recommend ditching IE unless you 
have specific needs which require it.
 
I would recommend a solid software-based firewall with executable and
port-blocking capabilities. I personally use Kerio but there are others
out there (ZoneAlarm etc). The bonus of application-level filtering allows
you to see what app or component is attempting to make a connection
somewhere and to what executable/library or remote host. A lot of people
make the mistake of setting up a firewall that blocks all but port 80 or
other common ports and think they are safe. Many viruses or rootkits take
advantage of this by using those commonly unblocked ports as communication
channels for their purposes. Rootkits can be attached to just about
anything (i.e. the Sony debacle you mentioned). However, if you have a way
to see and selectively block outgoing/incoming connections by application
(not just port) to your machine you can have a greater awareness of what's
going on. Kerio is one such that has that functionality.

In regards to Anti-virus, stick with the Best-of-Breed options. I tend to 
steer clear of McAfee or Symantec as they tend to be large 
resource-hogging apps. I've been happy with AVG Anti-Virus personally but 
there are others out there of the same quality.

As a pen-tester and security freak I tend to visit rather... shady...  
sites and use applications with nasty stuff in them to see what makes them
tick. However, I've yet to be hit with a virus or rootkit (knock on
wood-shaped packet) excet on purpose. As long as you keep your system
up-to-date with current patches, run a firewall of some sort, and a good
anti-viral app, you should be 99% secure. There is no such thing as a
truly safe networked computer but by having some minimal safeguards in
place you make it unlikely to become a victim. You can't be bulletproof
but you can wear enough kevlar to make it a waste of bullets for Bad
People<tm>.


Erin Carroll
Moderator - SecurityFocus pen-test mailing list
amoeba () amoebazone com


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------