The Culprits
If you’ve never heard of rootkits let alone what they are, now is the time to learn. I’ve heard of them before but never really knew how bad they can be. Not only can they hide from many of the most widely used antivirus programs, they can actually start running on your computer before your operating system even starts.
What’s worse is how they get into our computers. Many of the most frequently and widely used programs are the most likely targets of the criminals who spread viruses, spyware, and whatever other kind of program we don’t want, especially the programs that make use of the internet and the web. But why? Why do people make viruses? Do I really need to tell you? They do it for money. And usually their stealing it from our bank accounts and our credit cards. That’s why the bad guys find ways to take advantage of the programs we all use to inject their malware into our computers. And that’s why the responsible software companies figure out how to fix the problems and patch, or update, the software on our PCs. Some of the most common targets are:
- web browsers such as Internet Explorer, Firefox, and Opera, among others
- office software such as Word, Excel, Thunderbird, and many more
- media programs such as Flash, Acrobat, Quicktime, and yes, other.
On top of that, the software that runs on the web servers that deliver the web pages we all love is also at risk of being compromised. Hackers find ways to use parts of the server operating systems (Windows and Linux), blogging software, content management systems, forums, you name it.
What To Do About It
So let me tell you about what “inspired” this post. I recently learned about the Sinowal (also known as Mebroot) trojan rootkit in a couple of articles written by Woody Leonhard on the Windows Secrets website. The first article, “Don’t be a victim of Sinowal, the super-Trojan”, was posted November 20, 2008 and gives a good description of this bugger and how it spreads, infects, and steals your private information, like your bank or credit card account user name and password. Woody’s second article gets down to the business of detecting Sinowal/Mebroot, removing it, and what you can do to minimize your risk of infection.
There are two tools Woody recommends for us to use, F-Secure Backlight and Secunia Personal Software Scanner. Use Backlight to scan your computer to find Sinowal/Mebroot and remove it. Backlight does not need to be installed like many programs. It’s completely self-contained. To run it in XP, just double click it. But in Vista, you need to run Backlight as the Administrator. To do this, righ-click the Backlight icon, and select “Run as Administrator” from the pop-up menu.
Once Backlight is done, use Secunia PSI to inspect the software on your computer to see if it is the most current and secure version available. The advantage of using PSI is that once it finds programs that are vulnurable, you can download and install the updated and secure version with just a few clicks. Without PSI you would have to open every program installed on your computer, check the version, then go to the publisher’s website to see if there’s a more recent version to download and install it. I’ve tried both these programs on my HP Pavilion dv9000 laptop running Windows Vista and was pleased with way they worked. I also ran them on my Windows XP desktop. XP users are the most at risk. Fortunately, Vista seems to be immune for the time being. Backlight and PSI ran just fine on the XP desktop and I was relieved that Backlight did not find any rootkits.
I urge you to read Woody Leonhard’s first article about the Sinowal/Mebroot rootkit for a basic understanding and then look at the second article to better understand how the tools work and how to use them.
Have you ever encountered this kind of problem? If you have, how about leaving a comment to share your experience? Everyone be safer.
