Categories:
Printer Friendly
Send to a friend
Windows Rootkit Detectors
What is a rootkit?
A rootkit is a set of software tools inteded to conceal running processes, files or system data from the operating system. Basically they let someone get access or run commands when they shouldn't be allowed and don't want to be found. Rootkits can go undetected for long periods of time so it's a good idea to check your system for them regularly in additional to virus scans.
The concept of the rootkit isn't a new one, and dates back to the days of Unix. An intruder could use a kit of common Unix tools, recompiled to allow an intruder to have administrative or root access without leaving traces behind. Rootkits, as we've come to know them today, are programs designed to conceal themselves from both the operating system and the user — usually by performing end-runs around common system APIs. It's possible for a legitimate program to do this, but the term rootkit typically applies to something that does so with hostile intent as a prelude toward stealing information, such as bank account numbers or passwords, or causing other kinds of havoc.
Many antivirus and security-software manufacturers have since added at least some rudimentary level of rootkit detection to their products, but there have been a number of free, standalone rootkit detection tools that have been in use for some time. In this article, I examine six of the more prevalent standalone applications, and talk about their relative merits and abilities. To test them out, I used them to scan a system for three varieties of rootkit: Fu or FuTo, which can "stealth" any process; the AFX Windows Rootkit 2003, which can hide processes and folders from the system; and Vanquish, which is similar to AFX but uses a slightly different concealment mechanism.
The detectors themselves typically work by comparing different views of the system and seeing where there's a mismatch. One of the original ways to perform this kind of detection was to dump a complete list of all the files on the volume while inside the operating system, then boot to the Recovery Console and dump another file list, then compare the two. If a file shows up in the second list but not in the first and isn't a Windows file kept hidden by default, it's probably a culprit. More recent rootkit detectors use variations on this scheme that don't require exiting the operating system to get usable results.
I've also looked at these applications in a more general light and tried to consider how useful the program is likely to be in the future: how easy the detector is to use; how easy it is to interpret the results; how often the detector was updated; and so on. Remember that rootkits, like viruses, are a moving target. An anti-rootkit program that protects you today might be defenseless tomorrow against a whole new variety of threat — in fact, many rootkit makers write their programs to specifically avoid detection by some existing programs.
For the most part, these programs are for advanced- to expert-level users. They're not intended to be used as general-purpose solutions; they don't always distinguish between false positives (i.e., files hidden by the operating system deliberately) and real rootkits; they come with no warranty — they're provided "as-is" — and some of them (such as Trend Micro's product) have their core technologies available in a far more user-friendly version in a commercial product. In short, if you're not a professional, your best bet, at least for now, is to either hire a guru or use a mainstream product that has some kind of rootkit detection capability (such as Trend Micro Internet Security 2007).
Continue article
