Odds are your everyday run-of-the-mill antivirus and antispyware applications won't be able to detect, much less remove, a lot of the Windows-based rootkits. But even with rootkit-centric scanning software, it's impossible to determine with 100% certainty that a system you scan isn't infected. No matter what anyone tells you, there is no one best rootkit scanner that can detect everything. Given the detection complexities, I'm not sure there ever will be one.
Another thing to keep in mind is that rootkit scanning tools -- like any other security scanning/testing tool -- can produce false positives, especially with any legitimate programs that establish kernel-level hooks on the system. That's why you've got to be prepared to analyze the results, perform further research and put some context around what your tools have found.
To get started scanning, you need the right tools. There are several rootkit scanning tools available. A popular free scanner I mention often is Sysinternals' RootkitRevealer. It works by comparing the services running at the Windows API level with what's showing up at the raw data level on the computer's hard drive. The only negative aspect of RootkitRevealer is that it doesn't clean what it finds. Its instructions tell you to search the Web for removal instructions or reformat your drive and reinstall Windows. Ouch.
Another free (at least until January of 2007) tool for scanning is F-Secure BlackLight as shown in the following figure.
Figure 1: F-Secure Blacklight Rootkit Eliminator
Using F-Secure BlackLight to scan for rootkits
Using BlackLight is simply a matter of downloading it and running the executable file. It will scan your local drives, highlight what it found and allow you to clean what it finds. It hides almost everything from the user, but it is very fast and very easy to use. You should definitely check it out -- especially while it's still free!
Another rootkit scanning tool by an F-Secure competitor is Sophos Anti-Rootkit (see Figure 2).
Figure 2: Sophos Anti-Rootkit
Anti-Rootkit has an install routine and you have to manually run the executable afterwards. It allows for more user interactivity than BlackLight, but it is slower to scan your system. In Figure 3, notice how Anti-Rootkit easily uncovered the Hacker Defender as well -- including its installation files I intentionally left behind.
Figure 3: Results of Anti-Rootkit scan
There are various other rootkit scanners including Rootkit Hook Analyzer, VICE, and RAIDE. I encourage you to try all of them to see which one(s) best suit your needs.
Finding and removing a rootkit
Step 1: Is there a problem
Step 2: Choose the right scanning tool
Step 3: Clean up the mess
Step 4: Bulletproof your efforts
|About the author:|
|About the author: Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at email@example.com. Copyright 2006 TechTarget|
This was first published in October 2006