Jan 26, 2007 (07:01 PM EST)
The Root Of The Problem
Read the Original Article at InformationWeek
Rootkits shot to prominence and infamy in October 2005, when it was revealed that certain Sony Music CDs came with a program that, in order to limit copying, silently loaded itself onto your PC when you inserted the disc. Before long, Sony had a whole omelette's worth of egg on its face, and the word rootkit had entered the vocabulary of millions of PC users.
While the rootkit concept is now widely known, rootkit detection software is less so, making it worth taking a look at what's available. Many antivirus and security software manufacturers have since added at least some rudimentary level of rootkit detection to their products, but there are a number of free, standalone rootkit detection tools.
This article examines six of the more prevalent ones. To test them, I scanned a system for three well-known rootkits: Fu or FuTo, which can "stealth" any process; the AFX Windows Rootkit 2003, which can hide processes and folders from the system; and Vanquish, which uses a slightly different concealment mechanism from AFX. I considered what information they returned about the detected programs, the actions end users could take, and how often each program was updated.
How They Work
For the most part, these programs are for advanced- to expert-level users. They don't always distinguish between false positives--such as files hidden by the operating system deliberately--and real rootkits. They come with no warranty and some, such as Trend Micro's product, have their core technologies available in a far more user-friendly commercial version. But for those ready to brave them, here are six options to consider.
F-Secure BlackLight was one of the first widely used rootkit scanners (aside from RootkitRevealer), and now its scanning technology is being rolled into F-Secure Internet Security 2006.
One thing F-Secure has that few other rootkit detectors do is detailed documentation and usage instructions. Even if these programs are meant to be expert-level tools, it's always good to have something more to refer to than just the program's own prompts. Its detection system seems quite scrupulous; it caught a process hidden by the Fu rootkit and tracked down the other two rootkits.
IceSword also has been updated pretty consistently--multiple 1.x editions have appeared throughout 2006--and pjf_ has been quoted as saying he will continue to update and offer new versions as different rootkits emerge. There are a number of small but elegant touches throughout the 1.20 version, aimed at the experts the program is intended for.
Trend Micro RootkitBuster<
RKR 1.71's documentation indicates it's not designed to detect rootkits that cloak themselves in memory only, such as Fu (which it didn't detect at all). It checks to see if something is attempting to conceal itself in the file system or Registry, so in that respect it's limited. It did detect signs of the other two rootkits, though, so as a quick-and-dirty first line of defense it's not bad. For more comprehensive scanning, and the ability to click-and-delete a rootkit, there are definitely better tools available.
The full report is a bit wordy but makes it unambiguously clear if there's a chance you have a rootkit hiding somewhere--and where it might be hiding, as well. I was able to detect the presence of all three test rootkits without trouble.
Rootkit detection tools break down into two basic categories:
For me, it was one of the independent tools--Rootkit Unhooker --that turned out to be the best. The big vendors, however, won't likely see them as competition, since the indie-written tools clearly are meant for pros.
If rootkits proliferate and become as difficult to detect as is predicted to happen, it will be strong incentive for the major security software makers to market their own products. But it also will be an incentive for the indies to continue to write and update their tools for their own market.