The Root Of The Problem

Jan 26, 2007 (07:01 PM EST)

Read the Original Article at

Rootkits shot to prominence and infamy in October 2005, when it was revealed that certain Sony Music CDs came with a program that, in order to limit copying, silently loaded itself onto your PC when you inserted the disc. Before long, Sony had a whole omelette's worth of egg on its face, and the word rootkit had entered the vocabulary of millions of PC users.

While the rootkit concept is now widely known, rootkit detection software is less so, making it worth taking a look at what's available. Many antivirus and security software manufacturers have since added at least some rudimentary level of rootkit detection to their products, but there are a number of free, standalone rootkit detection tools.

This article examines six of the more prevalent ones. To test them, I scanned a system for three well-known rootkits: Fu or FuTo, which can "stealth" any process; the AFX Windows Rootkit 2003, which can hide processes and folders from the system; and Vanquish, which uses a slightly different concealment mechanism from AFX. I considered what information they returned about the detected programs, the actions end users could take, and how often each program was updated.

How They Work
The detectors typically compare different views of the system and see where there's a mismatch. One of the original ways to do this was to dump a complete list of all the files on the volume while inside the operating system, boot to the Recovery Console and dump another file list, then compare the two. If a file shows up in the second list but not in the first and isn't a Windows file kept hidden by default, it's probably a culprit. More recent rootkit detectors use variations on this scheme that don't require exiting the operating system to get usable results.

For the most part, these programs are for advanced- to expert-level users. They don't always distinguish between false positives--such as files hidden by the operating system deliberately--and real rootkits. They come with no warranty and some, such as Trend Micro's product, have their core technologies available in a far more user-friendly commercial version. But for those ready to brave them, here are six options to consider.

F-Secure BlackLight
F-Secure BlackLight was one of the first widely used rootkit scanners (aside from RootkitRevealer), and now its scanning technology is being rolled into F-Secure Internet Security 2006.

One thing F-Secure has that few other rootkit detectors do is detailed documentation and usage instructions. Even if these programs are meant to be expert-level tools, it's always good to have something more to refer to than just the program's own prompts. Its detection system seems quite scrupulous; it caught a process hidden by the Fu rootkit and tracked down the other two rootkits.

IceSword has gained a measure of fame as one of the most powerful and thorough rootkit detectors out there. But it's also one of the toughest to find. Its creator, a Chinese-speaking programmer known as pjf_, offers the program through his Web site, but since the link is excruciatingly slow the application has since been mirrored by many free download sites, such as MajorGeeks .com. It's been issued in English, but the help files are only in Chinese.

IceSword also has been updated pretty consistently--multiple 1.x editions have appeared throughout 2006--and pjf_ has been quoted as saying he will continue to update and offer new versions as different rootkits emerge. There are a number of small but elegant touches throughout the 1.20 version, aimed at the experts the program is intended for.

RKDetector 2.0 is actually two applications: one to scan for hidden files on a hard drive and another to scan for hidden processes and kernel hooks. It's a little more difficult to do a comprehensive scan this way, though, since you have to do each scan action separately and there's no way to get a comprehensive report. The individual result reports aren't hard to make sense of and act on, but the program's usefulness is overshadowed by some of the other applications discussed here.

Trend Micro RootkitBuster<
One thing I've always liked about Trend Micro is how it makes bits of its commercial products available as freebies. Trend Micro has excerpted the rootkit detection technology from its commercial Internet Security 2007 product and made it available as a standalone tool. Documentation is essentially nonexistent, and it's very hard to tell how regularly the product has been updated, but I suspect that goes hand in hand with its being a freebie. RootkitBuster 1.6 does a good job of detecting and cleaning, though--it caught processes hidden by the Fu rootkit and found the other two test rootkits quite completely.

RootkitRevealer was one of the very first rootkit detection tools, courtesy of the ever-overachieving Mark Russinovich and Bryce Cogswell of Winternals (now part of Microsoft).

RKR 1.71's documentation indicates it's not designed to detect rootkits that cloak themselves in memory only, such as Fu (which it didn't detect at all). It checks to see if something is attempting to conceal itself in the file system or Registry, so in that respect it's limited. It did detect signs of the other two rootkits, though, so as a quick-and-dirty first line of defense it's not bad. For more comprehensive scanning, and the ability to click-and-delete a rootkit, there are definitely better tools available.

Rootkit Unhooker
Rootkit Unhooker is the product of a Russian programming team, and version 3.0 is one of the better, more comprehensive programs I looked at. That means it's also more sophisticated, but the programmers have been thoughtful enough to make it possible to produce an overview of all the scanned areas of the system in one report.

The full report is a bit wordy but makes it unambiguously clear if there's a chance you have a rootkit hiding somewhere--and where it might be hiding, as well. I was able to detect the presence of all three test rootkits without trouble.

Decision Time
Rootkit detection tools break down into two basic categories:

  • Professionally written tools marketed to get people to buy a full commercial product
  • Independently authored tools of broadly varying pedigrees and usability
  • For me, it was one of the independent tools--Rootkit Unhooker --that turned out to be the best. The big vendors, however, won't likely see them as competition, since the indie-written tools clearly are meant for pros.

    If rootkits proliferate and become as difficult to detect as is predicted to happen, it will be strong incentive for the major security software makers to market their own products. But it also will be an incentive for the indies to continue to write and update their tools for their own market.

    Free, But Not Easy
    F-Secure BlackLight
    Scans carefully, attempts to clean files; may be folded into commercial suite
    A bit difficult to find, but thorough and updated, with pro-level features
    Two separate apps; less flexibility and breadth of features than others
    Trend Micro RootkitBuster
    Spin-off of commercial program; works quite well on its own
    One of the first; decent, but better newcomers have overshadowed it
    Rootkit Unhooker
    Russian-authored tool that's comprehensive and powerful