Six Rootkit Detectors To Protect Your PC

An anonymous reader writes "InformationWeek has a review of 6 rootkit detectors.This issue became big last year when Sony released some music CDs which came with a rootkit that silently burrowed into PCs. This review looks at how you can block rootkits and protect your machine using F-Secure Backlight, IceSword, RKDetector, RootkitBuster, RootkitRevealer, and Rookit Unhooker."

Print version.

[antdude (79039)]

Click here [informationweek.com] to going to next pages. :)

+avoid

[antdude (79039)]

Bah, I didn't proofread before I submitted. :(

I can see...

[42Penguins (861511)]

"helpful" activex popup ads:
Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

Re:I can see...

[Jesus_666 (702802)]

"helpful" activex popup ads:
Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

Damn. I've been googling for hours now - do you have an idea where I can get the Linux or OS X version of Pwn0r T0olbar or maybe the source? I want to be protekted from teh threts too!

Re:I can see...

[rvw (755107)]

"helpful" activex popup ads:
Yuor compooter may be infectad with eh rootkit! Instal Pwn0r T0olbar now 2 protekt your system from teh threts!

Damn. I've been googling for hours now - do you have an idea where I can get the Linux or OS X version of Pwn0r T0olbar or maybe the source? I want to be protekted from teh threts too!

To get this level of protection you should install Windows. These toolbars, you probably won't even have to install them. They come all by themselves.

"The concept of the rootkit isn't a new one,

[Indes (323481)]

... And dates back to the days of Unix. "

    Whew. Good thing GNU is Not Unix.

Re:

[djh101010 (656795)]

... And dates back to the days of Unix. "

Whew. Good thing GNU is Not Unix.

I'm not seeing what your point is, can you explain? Or am I trying to overanalyze a throw-away comment? I do that sometimes...

Re:

[Evilest Doer (969227)]

I'm not seeing what your point is, can you explain? Or am I trying to overanalyze a throw-away comment? I do that sometimes...

I think you missed the memo when you worked on The TTP Project.

Re:"The concept of the rootkit isn't a new one,

[Fred_A (10934)]

Speaking of which, could we stick to rootkit for Unix and administratorkit for Windows ? It would be much less confusing.

On debian/ubuntu

[delirium of disorder (701392)]

apt-get install chkrootkit [chkrootkit.org] rkhunter [rootkit.nl]

Re:

[MrShaggy (683273)]

They forgot a decent anti-root kit

MAC-OSX.. see it has six letters to.

Is there a decent one for OS-X?

Summarized: The free one is the best!

[tgbrittai (599035)]

Ironically enough, it was one of the independent tools -- Rootkit Unhooker -- that turned out to be the best.

It's interesting that programmers working outside of a corporate environment produce such amazing products. Hmmm... I wonder what's up with that?

Nervous about these...

[ubuwalker31 (1009137)]

Is it just me, or am I being overly cautious not wanting to download a rootkit detector from Chinese and Russian software developers? Are these programs opensource? Are they safe? Anyone?

Re:

[gooman (709147)]

I swear, that's the first thought that ran through my head.
I'm sure they'll detect every rootkit except the one they install.

Why am I so paranoid?

Oh yeah, I run Windows.

Re:

[kevinkite (1028024)]

In Soviet Russia kits root YOU!

Security solutions

[chris(pinecone) (1037932)]

Shouldn't these tools be a part of already-existent anti-virus solutions? Why another application for rootkits if trojans, virii, and spyware detection are (usually) in the same package? It's not like rootkits are new threats.

Re:

[by Anonymous Coward]

When it's not being exploited [sans.org]

Re:Security solutions

[Macthorpe (960048)]

Norton AV 2007 boasts rootkits

Fixed for you :P

(Yes I know it's not true, but you'd have to pay me severely large amounts of money to expose my system to anything by Symantec)

I am the author of AFX Windows Rootkit 2003

[Afecks (899057)]

Hey, thanks for the mention in the article but that is a really old version you've used to test! The last version I've released publicly is AFX Windows Rootkit 2005, it's open source and can be found on http://www.rootkit.com/ [rootkit.com] the other more recent versions I've sold privately.

Now on the subject of rootkit detection. Most of these use the method based on Microsoft's Strider: GhostBuster. Which uses a low-level method to gather seemingly clean system information then gathers the same information using a high-level method. The idea is that rootkits will have only hooked the high-level methods so there should be a difference in results. Whatever is listed in the low-level results and not listed in the high-level results is displayed as "hidden information". Effectively they are using the rootkit's own hiding functions against itself to detect it. If the rootkit doesn't hide itself to avoid detection it's still made itself visible.

The problem is that you put yourself in an arms race with who can hook system information at the lowest level. Luckily since we (the sysadmin) have access to the hardware and presumably the attacker does not, a hardware method of gathering system information would be the best. You can bet money that we are going to be seeing hardware level rootkit detectors sooner or later.

The final problem is that a backdoor can be hidden without using these rootkit methods. By hooking incoming socket connections we can make a hidden backdoor that creates no new processes, threads, files, registry keys or any other permanent data. I and others have released POC code already. Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.

Re:

[liquidpele (663430)]

Do you have any more information on hooking socket connections as mentioned in your post? That sounds pretty neat and I'd like to research it, so since you've heard of it I figured you might have a good link to two.

Re:I am the author of AFX Windows Rootkit 2003

[Afecks (899057)]

My old site is down because I've moved away from this kind of stuff in the past. The only surviving mirror I can find is here. [opensc.ws] Basically you're just hooking accept() Winsock API in all processes and then any listening service is a potential backdoor. This is a simple user-mode method. Someone could write a more specific version for a particular service such as IIS that hooks deeper into the code that receives network data.

Re:

[EvanED (569694)]

Also, making the same attack persist after reboot is only a matter of disabling SFC and altering userinit.exe, explorer.exe or whatever you like. Your rootkit detector will come up clean everytime.

But if you don't hide files, you leave yourself as open to signature-based detection as viruses are, so your typical virus scan should pick it up. Even if you can obfuscate yourself well enough to hide from signature-based scans, if you alter system files like userinit or explorer, you are vulnerable to tripwire-l

Re:

[Blahbooboo3 (874492)]

Will a complete system format and OS re-install from CDs erase any possible re-entry?

Re:I am the author of AFX Windows Rootkit 2003

[Afecks (899057)]

The simple answer is, yes.

The complicated answer is, for a little while. The reason is that there are rootkits being developed that are designed to store itself in your video card. The idea is that after the hard drive is reformatted the video card will load this rootkit back into the kernel. Right now it's highly unlikely.

Re:

[Afecks (899057)]

Actually I've written an article describing how to do what you speak of. The only piece of the puzzle you left out is that you need to scan the system from inside Windows first. Then boot into Linux and scan the hard drive from there so you can compare the results.

The article can be found here here. [rootkit.com]

Something is missing

[toupsie (88295)]

I didn't see one rootkit detector reviewed by InformationWeek that would work on my PCs, a Macbook and an iMac. Any suggestions?

Re:

[InsaneGeek (175763)]

Probably because the article was talking about Windows rootkit detectors, might be a good reason that you didn't see ones for OSX (I could see through your thinly-veiled attempt at a windows vs mac dig, but I'll play along). For OSX you might try http://www.chkrootkit.org/ [chkrootkit.org] as there are OSX rootkits in the wild, they've had a version out for quite some time now.

Wow....

[Creepy Crawler (680178)]

Wow! Lets rate programs on diagnosing a potentially lying PC!

This is just a stupid idea if anything. The purpose of a rootkit is to make a very hidden hole into a system. Doing this requires reprogramming and setting up the system in that nobody can diagnose itself. The key is to diagnose any sort of rootkit, one must run from known good binaries.

Now, we dont have the source to Windows, but we have binaries. Well, lets MD5 the binaries and then compare to a known good (just installed, no network interfaces) installation. The differences are possible holes.

No program can be trusted when the system it sits upon cannot be trusted. When system trust is gone, one must redeploy the system to regain trust.

Re:

[jomama717 (779243)]

If a native app [microsoft.com] can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot. This works for user mode and kernel mode rootkits, but if there's a BIOS rootkit you're pretty much screwed. See my previous post [slashdot.org], Norton AntiVirus 2007 operates in this way.

Re:

[EvanED (569694)]

If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot...

There's no fundamental reason why they couldn't intercept the I/O requests from your native app and return false but consistent data there.

It's just very difficult to do, which is why rootkits try to skirt detection based on the Strider: Ghostbuster method (do a low-level scan of the on-disk filesystem data structures, compare to the res

Re:Wow....

[Creepy Crawler (680178)]

---If a native app can analyze the disk volume directly it can identify malicious drivers and reveal them to a friendly Win32 application that can remove them after a reboot.

Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received. As far as you know, the system will be "ok". But it'll be OK, because you can analyze the volume directly!!

---This works for user mode and kernel mode rootkits, but if there's a BIOS rootkit you're pretty much screwed.

Sure. If you have to run a "checking program" on a corrupted system, what makes you think you'll get good results? I keep drilling this point, but all you do is give dumb comments. And bios rootkit? Good luck with that one. You all might wannna give LinuxBios some help if you can flash WORKING hacked firmwares to the multitudes of X86 boxes. Oh... you mean diddle with the ACPI tables. Welllll.. Bah.

---See my previous post, Norton AntiVirus 2007 operates in this way.

I ignore ads.

Re:

[EvanED (569694)]

Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received

If that's ALL you hide, then you'll be found by all of these tools.

You ALSO have to mess with low-level I/O requests; if an application can say "I want block #17" you need to be able to mutate the returned data if it's a directory block or something l

Re:

[Creepy Crawler (680178)]

...Oh bother... If I had a Kernel Level rootkit, I can SHIM all your commands through it and filter what I want you to see. You can guarantee that I will hide my program ID, memory used, swap used, location on fixed disks, and any network data transmitted/received

---If that's ALL you hide, then you'll be found by all of these tools.

Wrong. If I control the CPU as kernel level, I can do anything I want. Next of all, if I use custom tools, good luck trying to find them. Well, the only way to find them would to

Re:

[EvanED (569694)]

Wrong. If I control the CPU as kernel level, I can do anything I want.

That's true.

The OS is too untrustworthy after you hook it on a network (in Windows case especially).

Windows is no more vulnerable once you've got a kernel hook than Unix/Linux/whatever is. If anything, Linux is more vulnerable because figuring out the appropriate places to hook in Windows is a lot harder without source.

("Security through obscurity" is a bad idea -- but obscurity can be a layer and be helpful as long as you design and impl

Re:

[rastos1 (601318)]

This is just a stupid idea if anything. The purpose of a rootkit is to make a very hidden hole into a system. Doing this requires reprogramming and setting up the system in that nobody can diagnose itself.

The idea is that the rootkit is not perfect. If the diagnostic tool says: "found", you know there is a problem. If it says "not found" you don't know anything. Just like you did not knew before running the tool.

Easier solution...

[Stormwatch (703920)]

Do NOT buy music from stores. Instead, get them from torrents. It's safer!

Got it

[kahrytan (913147)]

  Those who don't know, BitDefender Antivirus has rootkit detection and removal since v10. It was released back in Aug-Sept 2006.

Blue Pill

[Asztal_ (914605)]

Can any of them detect blue pill [blogspot.com]?

Re:

[Cheesey (70139)]

Apparently one of them attempts to. From TFA:

The single most intriguing feature is the "Virtual Machine Detector," which uses the time elapsed between two low-level CPU instructions to determine if the operating system is running directly on the PC or in a virtual machine.

There are actually a few other ways to detect if you are running inside a VM, e.g. use of a non-priviledged instruction that reveals information about memory mappings (here [codeproject.com]). However, there is still an arms race: the rootkit programmer mig

Faster IceSword Link

[d2_m_viant (811261)]

IceSword120_en.zip [80.190.139.91] -- Somewhat faster download for IceSword (at least until it gets Slashdotted)

Correction, and possible next step in arms race

[Beryllium Sphere(tm) (193358)]

The F-Secure product is Blacklight.

Wish I could remember the name to give the guy credit, but someone's pointed out that even booting from a CD doesn't necessarily give you a trustworthy system if there's malware flashed onto a graphics card that the BIOS detects and configures before the CD takes over.

Root of the problem with Windows

[shanen (462549)]

It's really a philosophic problem. Microsoft sees the OS as a weapon against the competitors, and when you're building weapons, of course you make them as powerful as possible and of course safety gets a lower priority. (Microsoft's highest priority has always been on the money, however.) The problem is that the results are overpowered OSes that real experts can use in ways that completely overwhelm us normal mortals. Heaven help the little old lady who just wants to visit her church's website on Sundays.

As regards the article, I read most of it, and might finish it later, but I wasn't too impressed with it or with the rootkit-detection tools that I've experimented with in the past. I'm supposed to be something of a computer expert, and I've certainly been using them long enough, but I regard myself as pretty much a helpless infant in these areas. If the NSA is planning to root my computer because I regard Dubya as an asinine embarrassment to my nation, I don't seriously expect to be able to do anything about it. Sure, I can use an expert's tools in many cases, but that doesn't make me any match for a real expert with corresponding tools. Or returning to the weapon metaphor, I may have a great gun, and even be competent enough in using it, but I'm sure that a seriously experienced killer would have little trouble taking me out, even with an inferior weapon.

In conclusion, "It's a poor craftsman who blames his tools", but it's also a poor craftsman who can't tell the difference...

What about Linux?

[Stephen Samuel (106962)]

- and I don't just mean converting the poor user to Linux either -- I mean things like Knoppix [knopper.net] with clamav [slashdot.org] which allow you to search for signs of rootkits without having the rootkit, itself, get in your way.

Once you've pulled out those pieces, then you can hopefully boot (what's left of) Windows, run some of the Windows-centric anti-virus ware in hopes of finding those pieces that clamav didn't find.

Hunting down the bad guys like Dirty Harry.

[toadlife (301863)]

I find it curious and a bit disconcerting when I see how much emphasis people place on the subject of malware detection in the realm of information security. What to do after malicious code finds it's way onto our systems, or into our networks is certainly something to consider, and any security plan would be incomplete without it, but this area takes up far too much of our time, given that other aspects of security bring a much more favorable cost/benefit ratio.

I can only surmise that there is certain "sexiness" to malware detection; much the same way that fancy home alarm systems are the first thing that many think of when contemplating home security.

In the home security market, advertisements depict evil prowlers dressed in sweat-suits busting through the back door of the house, while a frightened soccer mom with her five year old daughter cower upstairs. The alarm sounds, the prowler runs away, and a call comes in from the alarm provider, asking if they are ok. Quite dramatic. Quite unrealistic too.

In the information security market there are no soccer moms, and the prowlers don't run around in matching sweat-suits, but the theme is similar. "Buy our product - it will catch intruders when they enter and save you." Again - quite dramatic, and quite unrealistic.

In the real world, people forget to turn on their alarm systems, or they forget to change the batteries, or intruders know how to disable them without triggering them.

In the real world, people also forget to update their AV/IDS signatures, or turn their security product off for various reasons - usually convenience-related, or like the prowler in the home, malware simply disables the security solution on it's way in.

Just as in securing a home, we would be better off if we first focused on installing heavy doors and deadbolts on all outside entrances, in the virtual world, we would be better off focusing on the barriers that malware must overcome to gain entry to our systems and access to our information and resources.

This is far from an original thought, but I'll say it anyway as it deserved to be repeated. The security industry is a joke. It's is filled by people who either don't understand the basic pricipals of information security, or do but choose to to sell 'sexy' solutions anyway. I once ran into the author of a somewhat popular Windows security product on a messageboard and was shocked at his aparent lack of understanding of how his platform of choice, Windows, worked.

I supposed this is more of a Windows problem than anything else. Not a problem with Windows, the operating system, but a problem with WIndows, the culture.

Re:

[madsheep (984404)]

LOL is this a serious post? Most rootkits out there are designed to work on *nix based operating systems. True rootkits are far more common on for these flavors of OS over that of Windows. I am not sure if this is a reference to Ubuntu being secure. Maybe you could have recommended visting a site that houses a BSD flavor..won't bother pointing out one for that useless debate. Choosing Ubuntu is not going to protect you from rootkits in anyway.

Re:Rootkit

[chris(pinecone) (1037932)]

Most rootkits target *nix. OS X is a Unix variant. But since Macs don't ever get viruses, I'm sure it would be impossible to get past Apple's expert, fully-secure software.

Re:

[John Jamieson (890438)]

A/Coward - What, you somehow think that you are immune to Rootkits???

I would not bet my life on that. Even though I consider the default security in my choice of GNU/Linux distro to be tighter than OS-X, I still use Knoppix (a CD based GNU/LINUX OS) for internet banking. It is the only TRUE assurance of safety from being rooted.

Re:

[tetrode (32267)]

Are you sure? This: http://it.slashdot.org/comments.pl?sid=217446&cid= 17659380 [slashdot.org] indicates that the method of rebooting with a CD will not be sure in the near future.

1. Boot with a Knoppix CD to do banking
2. Virus hides in Video
3. You reboot, virus installs itself and PROFIT!

Mark

Re:

[by Anonymous Coward]

1. Windows Defender does exist.
2. Windows Defender is freeware.
3. Windows Defender is malware removalal tool, not a firewall.
4. You're tool late, I already laughed.

change mod from

[John Jamieson (890438)]

The review was for tools for the Windows PC, not the MAC or Linux. Sorry this was not more evident. The parent is (without knowlege) implying that the Mac is not vunerable to being rooted. And some fanbois are modding this funny? This might be funny, IF IT WERE TRUE! Not only are MAC rootkits possible, they exist. Do a google search before you post and it will prevent mistakes like this. (Yes I know, I run a risk of hardcore fans modding me down)