Step 2: Choose the right scanning tool

It's difficult -- but not impossible -- to be totally sure that your system is 100% rootkit free, says Windows security expert Kevin Beaver. In this step-by-step guide, Beaver shows you how to strengthen your Windows systems against the rootkit threat.

This Content Component encountered an error

Odds are your everyday run-of-the-mill antivirus and antispyware applications won't be able to detect, much less remove, a lot of the Windows-based rootkits. But even with rootkit-centric scanning software, it's impossible to determine with 100% certainty that a system you scan isn't infected. No matter what anyone tells you, there is no one best rootkit scanner that can detect everything. Given the detection complexities, I'm not sure...

there ever will be one.

Another thing to keep in mind is that rootkit scanning tools -- like any other security scanning/testing tool -- can produce false positives, especially with any legitimate programs that establish kernel-level hooks on the system. That's why you've got to be prepared to analyze the results, perform further research and put some context around what your tools have found.

To get started scanning, you need the right tools. There are several rootkit scanning tools available. A popular free scanner I mention often is Sysinternals' RootkitRevealer. It works by comparing the services running at the Windows API level with what's showing up at the raw data level on the computer's hard drive. The only negative aspect of RootkitRevealer is that it doesn't clean what it finds. Its instructions tell you to search the Web for removal instructions or reformat your drive and reinstall Windows. Ouch. Another free (at least until January of 2007) tool for scanning is F-Secure BlackLight as shown in the following figure.


Figure 1: F-Secure Blacklight Rootkit Eliminator

Using F-Secure BlackLight to scan for rootkits

Using BlackLight is simply a matter of downloading it and running the executable file. It will scan your local drives, highlight what it found and allow you to clean what it finds. It hides almost everything from the user, but it is very fast and very easy to use. You should definitely check it out -- especially while it's still free!

Another rootkit scanning tool by an F-Secure competitor is Sophos Anti-Rootkit (see Figure 2).


Figure 2: Sophos Anti-Rootkit

Anti-Rootkit has an install routine and you have to manually run the executable afterwards. It allows for more user interactivity than BlackLight, but it is slower to scan your system. In Figure 3, notice how Anti-Rootkit easily uncovered the Hacker Defender as well -- including its installation files I intentionally left behind.

Figure 3: Results of Anti-Rootkit scan

There are various other rootkit scanners including Rootkit Hook Analyzer, VICE, and RAIDE. I encourage you to try all of them to see which one(s) best suit your needs.


Finding and removing a rootkit

 Home:
Introduction
 Step 1: Is there a problem
 Step 2: Choose the right scanning tool
 Step 3: Clean up the mess
 Step 4: Bulletproof your efforts
About the author:
About the author: Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com. Copyright 2006 TechTarget
This was first published in October 2006

Dig deeper on Network intrusion detection and prevention and malware removal

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close