Jan 26, 2007 (07:01 PM EST)
The Root Of The Problem

Read the Original Article at InformationWeek

1   2   3  
Rootkits shot to prominence and infamy in October 2005, when it was revealed that certain Sony Music CDs came with a program that, in order to limit copying, silently loaded itself onto your PC when you inserted the disc. Before long, Sony had a whole omelette's worth of egg on its face, and the word rootkit had entered the vocabulary of millions of PC users.

While the rootkit concept is now widely known, rootkit detection software is less so, making it worth taking a look at what's available. Many antivirus and security software manufacturers have since added at least some rudimentary level of rootkit detection to their products, but there are a number of free, standalone rootkit detection tools.

This article examines six of the more prevalent ones. To test them, I scanned a system for three well-known rootkits: Fu or FuTo, which can "stealth" any process; the AFX Windows Rootkit 2003, which can hide processes and folders from the system; and Vanquish, which uses a slightly different concealment mechanism from AFX. I considered what information they returned about the detected programs, the actions end users could take, and how often each program was updated.

How They Work
The detectors typically compare different views of the system and see where there's a mismatch. One of the original ways to do this was to dump a complete list of all the files on the volume while inside the operating system, boot to the Recovery Console and dump another file list, then compare the two. If a file shows up in the second list but not in the first and isn't a Windows file kept hidden by default, it's probably a culprit. More recent rootkit detectors use variations on this scheme that don't require exiting the operating system to get usable results.

For the most part, these programs are for advanced- to expert-level users. They don't always distinguish between false positives--such as files hidden by the operating system deliberately--and real rootkits. They come with no warranty and some, such as Trend Micro's product, have their core technologies available in a far more user-friendly commercial version. But for those ready to brave them, here are six options to consider.