computerwoche.de

Archiv

Frankly Speaking: Routed by rootkits

17.04.2006
Call it the worst work-around ever. How else to describe the advice from Mike Danseglio, a Microsoft security guru, to wipe and reinstall Windows on any PC infected with an insidious malware known as a rootkit? Danseglio grabbed some headlines this month when he told an audience at the InfoSec World security conference that once a rootkit digs in, there's no sure way to get rid of it short of nuking Windows and starting from scratch.

But it turns out his suggestion isn't new. Danseglio's been giving that advice for most of a year. He wrote a Microsoft "Security Tip of the Month" that said the same thing last October.

And it's good advice. But as a work-around, it's terrible.

It's good advice because Danseglio's probably right: There's no other way to root out a rootkit. We can try to prevent infections -- with firewalls, virus scanners, software patches and updates. But once a rootkit is in, it's in. It spreads its hooks everywhere. Rootkits are like cancer. You can cut out the obvious tumor, but there's no way to be absolutely sure you've removed every malignant cell from a patient's body.

We can't eliminate biological cancers with a wipe and reinstall. But we can get rid of rootkits that way. And if there's nothing better, it's a realistic tactical approach to the problem.

But it's still an awful work-around. Why? Because a work-around should be a trade-off, a rational decision about how to use resources. Work-arounds make sense when they cost less than fixing underlying problems. But a work-around's cost piles up over time. Eventually you do want those underlying problems fixed.