Rootkit discovery tools
A hidden you say? Yes. Rootkit type viruses and their ilk can hide their presence completely from your antivirus and antispyware and intrusion detection tools….
The good news is that there are few “known” exploits in the wild. But that’s a few too many! And rootkit development tools can be found on hacker/cracker web sites. The good news is that there are also tools available to find and remove hidden rootkit malware, as reviewed here. And more are on the way. Plus, it is only a matter of time before these tools are integrated into mainstream antivirus and/or antispyware products. I have heard estimates of six months.
OK, what is a rootkit anyway? Well, the term derives from a somewhat related “feature” of ” *nix” operating systems. Rather than get over my head in technicalities, I’ll just offer a general definition: Rootkits can be any form of “hidden” software or registry keys. They may or may not be malicious. But the technique, and the result, allows these items to be hidden from view by any normal means, such as a file viewer like Windows Explorer or a registry editor like RegEdit.
How to combat rootkits: A number of good rootkit discovery and removal tools are available. I have conducted some rudimentary testing of several of them, and the results are presented here.
But since this is quite a new thing, most of these discovery tools are in an early stage of development. I tested three and found that they all performed a little differently. They include Blacklight from F-Secure, RootkitRevealer by Sysinternals, and UnHackMe by Greatis Software. Lest you think rootkits are nothing to worry about yet, Greatis and other sites list several current rootkit type attacks. They include: Hacktool.Rootkit, Backdoor.Isen.Rootkit, Backdoor.Rtkit, Trojan.Kalshi, Hacker Defender, FU, and Vanquish.
Microsoft also has a tool under development called “Strider Ghostbuster” that uses techniques that may be more powerful and effective than the tools reviewed in this post. But that remains to be seen. A PC World article about this can be found here: pcworld
The tool from F-Secure is called BlackLight. It found one item in my system that was installed in a hidden manner. That evidently was a device driver for the file and folder encryption program called FolderLock. This seemed to be appropriate for this program and therefore is of little concern. It took some sleuthing to find the source of this item, which was to search my system with the search narrowed to the creation date of the file in question. This search determined that I had installed Folder Lock on that day and that the file creation times matched exactly. True rootkit malware would probably show a number of related, hidden files. An isolated hidden file is probably more likely to be a driver for something you have installed. F-Secure support was very prompt and courteous in their reply to my inquiries about the results from running BlackLight. It can be found here: BlackLight
RootkitRevealer by Sysinternals also found the file mentioned above. It also found a number of “null” entries in the Registry. I have yet to submit this result to Sysinternals, but I believe these “nulls” represent partially deleted registry keys, and therefore they would be of no great consequence. But they could be an indication of a problem. I am going to try the latest version to see what it finds and submit the results to them. It can be found here: (along with a lot of good information.) RootkitRevealer
The UnHackMe tool by Greatis Software did not find any of what the others found, but it did find a hidden registry key for a program called VitalAgentIT, which is a spin off of NetMedic, I believe, a program that make regular use of to monitor the Internet connection. Therefore this appears to be a false positive because the registry key actually was there and visible, it just started with a leading zero in its name (instead of a V). (It did take me some time to find it because of this leading zero.) That said, Greatis was very responsive to my inquiries. The tool can be found here: UnHackMe
Frankly, the technology is a little young, but maturing rapidly.
I was a little surprised to find anything with these tools. I wonder what others may be finding. I would encourage you to give it a try. If you find anything, contact the developer of the tools. Help the in the designers refine their tools. Let me know what your find.
Update:
Here is another good article about rootkits:
March 22nd, 2005 at 11:52 AM
Additional Info about detecting rootkits: Rename that executable! For instance, Blacklight is “fsbl.exe” . F-Secure recommends that you rename it to any random set of characters before running it. This is because at least one new rootkit virus detects the F-Secure program when it is run and disables it in some manner. Note: It must still have the .exe extension.
SysInternals has updated their RootkRevealer tool to version 1.30 to combat this very problem. (Check for new updates regularly, as these tools are evolving rapidly.) They also recommend renaming the executable. I can be found here. RootkitRevealer