Routed by rootkits

Call it the worst work-around ever. How else to describe the advice from Mike Danseglio, a Microsoft security guru, to wipe and reinstall Windows on any PC infected with an insidious malware known as a rootkit? Danseglio grabbed some headlines this month when he told an audience at the InfoSec World security conference that once a rootkit digs in, there’s no sure way to get rid of it short of nuking Windows and starting from scratch.

But it turns out his suggestion isn’t new. Danseglio’s been giving that advice for most of a year. He wrote a Microsoft “Security Tip of the Month” that said the same thing last October. And it’s good advice. But as a work-around, it’s terrible.

It’s good advice because Danseglio’s probably right: There’s no other way to root out a rootkit. We can try to prevent infections — with firewalls, virus scanners, software patches and updates.

But once a rootkit is in, it’s in. It spreads its hooks everywhere. Rootkits are like cancer. You can cut out the obvious tumor, but there’s no way to be absolutely sure you’ve removed every malignant cell from a patient’s body.

We can’t eliminate biological cancers with a wipe and reinstall. But we can get rid of rootkits that way. And if there’s nothing better, it’s a realistic tactical approach to the problem.

But it’s still an awful work-around. Why? Because a work-around should be a trade-off, a rational decision about how to use resources. Work-arounds make sense when they cost less than fixing underlying problems. But a work-around’s cost piles up over time.

Eventually you do want those underlying problems fixed.

In Windows, that’s not going to happen. The rootkit vulnerabilities go to the core of Windows. They’re not just bugs; they’re flaws in Windows’ basic design. Waiting for Microsoft to fix them is pointless. Microsoft doesn’t have a fix, at least not short of entirely ripping out and replacing the guts of Windows.

And the only trade-off is that we foot the bill for Microsoft’s years of failure to secure Windows.

Yes, some rootkits will be blocked by tighter security in Vista when it finally arrives — but not all rootkits. The soonest we can hope for a completely rearchitected, rootkit-proof Windows is literally years from now. And Microsoft has yet to promise anything like that.

Meanwhile, we don’t have just one work-around for the rootkit problem. We can actually try three different approaches.

Option A: Nuke and restore. You can automate the process. It might even become smooth — for IT. But don’t underestimate the cost in lost productivity for users, who’ll still have to adjust settings, rebuild their desktops and shortcuts, and re-install their own applications (yes, they have them, even if they don’t tell IT about them).

Option B: Change your Windows architecture. You can run Windows applications from a terminal server like Citrix. Or virtualize them with Softricity. Or move everything to blades. Yeah, it’s a pricey transition, and it’ll shake up users. You’ll also probably need a lot more network bandwidth. But rebuilding all those PCs will be easier if it’s ever necessary.

Option C: Abandon Windows. Whether that means Web-based apps or Linux or Macs or terminals, it’s likely to be the most disruptive and costly option in the short term for both users and IT, and it will radically change what your IT shop does.

None of those options is a true trade-off. The cost and effort is all ours.

It’s going to require a completely new Windows core to finally purge the rootkit cancer for good. And that’s going to take a very hard, very expensive decision by Microsoft. Not just the worst of work-arounds for us.

QuickLink 066644

— Hayes, Computerworld’s senior news columnist, has covered IT for more than 20 years. Contact him at