SysInternals Releases RootkitRevealer

Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."

Strange...

[bigtallmofo (695287)]

Every time I try to go to www.sysinternals.com to find the new Rootkit removal application, my system shuts down automatically.

Probably nothing to worry about.

Re:Strange...

[SpinJaunt (847897)]

If you are using Windows XP SP2 or Windows 2003 SP1, you'll need to turn off DEP (Data Execution Prevention) by editing your BOOT.INI and have change from

/noexecute=optin

to

/noexecute=AlwaysOff

http://msdn.microsoft.com/library/default.asp?url= /library/en-us/ddtools/hh/ddtools/BootIni_aff45176 -bd02-43cf-9895-c212fa392de2.xml.asp [microsoft.com] I had this problem with Daemon tools and Acohol 120%

Re:Strange...

[by Anonymous Coward]

Yeah, should probably just turn off that buffer overrun protection, don't know what it's good for anyways. Also you should set your administrative password to blank and share out your entire C drive with Everyone granted full control, just to make things easier.

Sysinternals is great

[Dr.Opveter (806649)]

I love their stuff [sysinternals.com]

No really, they have class utilities for free, thanks Sysinternals

Re:Sysinternals is great

[cnettel (836611)]

Agreed.

One can note that Microsoft is stopping some kinds of hooking of individual kernel functions in the AMD64 release of XP. It's motivated by the fact that it won't break binary compatibility with existing code, as it would be broken anyway, and that it leads to sounder use of the API. It makes some rootkitting harder, and tools like regmon (not filemon, as it can hook as a filesystem filter driver). It doesn't make any of it impossible, though. It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent.

Incompatible?

[gr8_phk (621180)]

"It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent."

I can see it now. The future Microsoft product (which might come free with the OS) will say this other tool is a rootkit and remove it. This area of security should be very interesting to watch.

Bloated Software Giant Ahead of the Curve Again

[by Anonymous Coward]

Wow. Pop-up blocking, rootkit detection, basic network security... isn't it amazing how an enormous patent library and billions of dollars encourages so much innovation? It's like they're ten years ahead of everyone else.

Wait... no, the other way around...

Free Sony PSPs [tinyurl.com]. It's real. It's here.

Rootkit?

[Fls'Zen (812215)]

I didn't think people needed rootkits for windows...

Re:Rootkit?

[slavemowgli (585321)]

Why not? The purpose of a rootkit is usually not so much to take over a box (trivial on a standard windows installation), but rather to hide the fact that such a take-over occured.

So this is...

[JustNiz (692889)]

>> RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level,

So this is a rootkit in itself.

I don't know that I'd trust Microsoft anymore than anyone else running rootkits on my ststem.

Re:So this is...

[interiot (50685)]

No... Rootkits CHANGE the results of system API calls for everything running on the system, to try to hide the fact that there are suspicious processes and files on your system.

RootKitRevealer doesn't change any results of API calls at all.

RootKits are a fairly precisely-defined thing, I don't think there's as much grey area here as you think there is.

handy

[diegocgteleline.es (653730)]

This will be interesting as soon as spyware starts using rootkits in windows.

You know, Microsoft is securing (really) XP with the SP2, popups-blockers, restrictions on activex objects....which is great, but Microsoft has allowed a whole industry to grow - the spyware industry. There's lot of money there and they aren't going to stop so easily, they'll try other methods, and the fact that 99% of XP users runs with administrator privileges is too sexy, it allows you to reach the kernel, where you're god and you can bypass spyware/virus programs...(and if today's spyware is very poorly designed and can break your IE eve when they don't really wnat that, guess how systems will start to break if rootkits are started to use....)

Re:handy

[arkanes (521690)]

Amusingly, large portions of MS software don't qualify for the "Designed for Windows" logo. Office springs immediately to mind - violates the HIG.

Looking forward...

[Apiakun (589521)]

defeating their tool would require a level of sophistication not yet seen

What, until tomorrow?

If you run linux

[Apreche (239272)]

If you run linux you can use chkrootkit [chkrootkit.org]

Re:If you run linux

[slavemowgli (585321)]

You don't need to run Linux for chkrootkit. More or less any Un*x or Un*x-like OS will do fine:

"chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64 and BSDI."

Re:If you run linux

[Taladar (717494)]

Don't forget to run it from a known-good live-cd, otherwise it won't do you much good since it is just a script that uses several system programs.

Microsoft BSA

[TheFlyingGoat (161967)]

While you're at it, download the Microsoft Baseline Security Tool [microsoft.com]. It's not quite the same, but it's an excellent tool for anyone looking to make their Windows box more secure. It can also scan computers on your network (that you have rights on), so you can easily find all the Windows boxes on your network that aren't up to date on their patches, have Guest accounts enabled, or other bad things.

Reputation Counts

[Ridgelift (228977)]

Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals" [sysinternals.com]. They put their name on everything they give away and sell.

When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS [sysinternals.com] have saved my butt in the field.

Way to go Sysinternals.

Sysinternals.com is a Good site

[tristanj (797805)]

Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

Here are some good tools of their that I use frequently

Autoruns

http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml [sysinternals.com] shows a complete list of programs that start up automatically when windows starts. Filemon

http://www.sysinternals.com/ntw2k/source/filemon.s html [sysinternals.com] Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

http://www.sysinternals.com/ntw2k/source/regmon.sh tml [sysinternals.com] Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml [sysinternals.com] Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

http://www.sysinternals.com/ntw2k/utilities.shtml [sysinternals.com]

IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

Re:A level of sophistication?

[johndiii (229824)]

As the sysinternals article suggests, boot from a known clean CD and do an "off-line" system scan. They make the point that it will never be possible to determine with absolute certainty that a system is clean from inside the system.

Re:RootKit in windows?

[tverbeek (457094)]

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

For the same reason trackpads, wireless pointing devices, and such are called "mice", even though they look nothing like a mouse.... why solid state storage devices are called "flash disks" or "flash drives", even though there's nothing flat and circular in them and no moving parts... why the stuff in the middle of pencils is called the "lead", even though it's mostly graphite... why magazines featuring stories told with sequential art are called "comic books", even though they're usually not humorous.

Simple, really

[sczimme (603413)]

Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

The entity/app/device known as a rootkit was first popularized (so to speak) as a way for the intruder to hide his tracks and maintain root access on a Unix machine. If rootkits had first become popular (again, so to speak) on Win32 machines they likely would have been called adminkit or similar.

In a general techspeak sense, though, (root == full access); most techies have at least a nodding acquaintance with Unix so the idea of root makes sense regardless of the OS in question.

The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again.

Re:How do you REMOVE a rootkit?

[denis-The-menace (471988)]

Just use MS SOP to fix 99% of problems: Re-install

This irony here is that it's what you have to do to be 100% sure that no rootkits exists in ANY OS.

Your system is fine...

[Leadhyena (808566)]

There is nothing wrong with your system. In the .chm file provided with the RootkitRevealer it explains:

Hidden from Windows API discrepancies are the ones exhibited by most rootkits, however you should expect to see a number of such entries on any NTFS volume since NTFS hides its metada files, such as $MFT and $Secure, from the Windows API. In addition, there are a number of Registry keys that are inaccessible from the Windows API and will report as access-denied discrepancies.

This explains all of the listed entries except for the last one(the $BADCLUS entry is due to missing clusters, like the previous poster said, and you need to do a scandisk). Your last entry is there because you had Firefox open when you ran the scan. Again from the help file:

Files or Registry data created after a scan starts will also show up as discrepancies, so run RootkitRevealer on an idle system.

You're fine, although your reaction will be similar to many other users who will see the same thing and freak out similarly, because they don't understand NT internals... I think this is not a good tool to release to the masses, and should only be used by sysadmins, just like how HijackThis is really good for detecting spyware, but only to someone who knows something about Windows systems.

Not to mention that if you have a rootkit installed, you better be prepared to wipe your system clean and reinstall the OS, because otherwise there's no way of knowing if you have the whole thing removed.