[Infowarrior] - Review: Six Rootkit Detectors Protect Your System

Thu Jan 18 08:50:45 EST 2007

Review: Six Rootkit Detectors Protect Your System

While many security suites have a basic level of detection, these standalone
tools will do a search-and-destroy on the rootkits that may be hiding in
your system.

By Serdar Yegulalp,  InformationWeek
Jan. 16, 2007
URL: 
http://www.informationweek.com/story/showArticle.jhtml?articleID=196901062

In October 2005, Windows expert Mark Russinovich broke the news about a
truly underhanded copy-protection technology that had gone horribly wrong.
Certain Sony Music CDs came with a program that silently loaded itself onto
your PC when you inserted the disc into a CD-ROM drive. Extended Copy
Protection (or XCP, as it was called) stymied attempts to rip the disc by
injecting a rootkit into Windows ‹ but had a nasty tendency to destabilize
the computer it shoehorned itself into. It also wasn't completely invisible:
Russinovich's own RootkitRevealer turned it up in short order. Before long,
Sony had a whole omelette's worth of egg on its face, and the word rootkit
had entered the vocabulary of millions of PC users.

The concept of the rootkit isn't a new one, and dates back to the days of
Unix. An intruder could use a kit of common Unix tools, recompiled to allow
an intruder to have administrative or root access without leaving traces
behind. Rootkits, as we've come to know them today, are programs designed to
conceal themselves from both the operating system and the user ‹ usually by
performing end-runs around common system APIs. It's possible for a
legitimate program to do this, but the term rootkit typically applies to
something that does so with hostile intent as a prelude toward stealing
information, such as bank account numbers or passwords, or causing other
kinds of havoc.

Many antivirus and security-software manufacturers have since added at least
some rudimentary level of rootkit detection to their products, but there
have been a number of free, standalone rootkit detection tools that have
been in use for some time. In this article, I examine six of the more
prevalent standalone applications, and talk about their relative merits and
abilities. To test them out, I used them to scan a system for three
varieties of rootkit: Fu or FuTo, which can "stealth" any process; the AFX
Windows Rootkit 2003, which can hide processes and folders from the system;
and Vanquish, which is similar to AFX but uses a slightly different
concealment mechanism.

How They Work
The detectors themselves typically work by comparing different views of the
system and seeing where there's a mismatch. One of the original ways to
perform this kind of detection was to dump a complete list of all the files
on the volume while inside the operating system, then boot to the Recovery
Console and dump another file list, then compare the two. If a file shows up
in the second list but not in the first and isn't a Windows file kept hidden
by default, it's probably a culprit. More recent rootkit detectors use
variations on this scheme that don't require exiting the operating system to
get usable results.

I've also looked at these applications in a more general light and tried to
consider how useful the program is likely to be in the future: how easy the
detector is to use; how easy it is to interpret the results; how often the
detector was updated; and so on. Remember that rootkits, like viruses, are a
moving target. An anti-rootkit program that protects you today might be
defenseless tomorrow against a whole new variety of threat ‹ in fact, many
rootkit makers write their programs to specifically avoid detection by some
existing programs. 

< - >

http://www.informationweek.com/shared/printableArticle.jhtml?articleID=19690
1062