Hidden Spyware & Malware - Rootkits

As we know one of the biggest causes of broadband users seeing unaccounted high data usage is some hidden background activity on the system. These can include automatic updates and malware (malicious software) such as viruses and spyware.

1) To detect the 'friendly' background processes (i.e. legitimate processes that use data in the background, typically updates) one can use a program such as Netlimiter (http://www.netlimiter.com).

This is a good utility to advise clients to use as it not only shows total usage of the data connection, but can show it per application, i.e. which process is using how much data. It can even be configured to throttle an application to only use a specific amount of bandwidth. The monitor version is freeware. (http://www.netlimiter.com/download/nl_2010_mon.exe)

2) The problem comes in with malware background processes that intentionally hide themselves from being detected by Virus and Malware scanners such as Windows Defender, TrendMicro, AVG, Norton, et al.

This concept is called a RootKit and you need special software to detect if you have such a situation. You can read more about it on http://www.rootkit.com/ and can find RootKit detectors on http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx or http://www.systemsoftlab.com/spydetector.html.

The important point is not to trust virus scanners when they report no malware on a system. Do the following:

1) Run a continuous bandwidth meter such as Netlimiter. Watch to see if usage is as per your expectation.

2) Install and configure a firewall.

3) Install and update a malware & virus program. Configure it for frequent updates and scans and make sure it stay resident. Often more than one scanner is needed to catch malware that could have slipped by another one.

4) Use a RootKit detect program to search for malware that escaped the above.

5) Sometimes nothing but a full rebuilt might be needed to get rid of RootKits. This is obviously a last resort only.