Tuesday, October 10, 2006

Rootkit Scanner/Remover

Rootkits are a special kind of software tool used to hide trojans, viruses and other malware from your anti-virus scanner and other security products. Unfortunately, they are extremely effective which means that some of you reading this will be infected even though you believe your PC to be totally clean. Thankfully there is a new class of security product now available called rootkit detectors that use specialized techniques to detect these dangerous intruders.

Most of these detectors require quite a bit of technical skill to interpret the results but one of the simplest to use is also amongst the most effective. It's called BlackLight [1] and is currently available as a free beta from F-Secure. The beta will expire on the 1st of January, 2007 but you can use it freely up to then. I suggest everyone download this product and scan their PC. The chances of you being infected are small but for five minutes work it's not worth taking the risk.

BlackLight will detect most rootkits missed by AV scanners but is can't provide perfect detection; no rootkit detector can. That's why its' advisable to use more than product.

If you are an experienced user you should check out SysInternals RootkitRevealer [2]. It uses a totally different different technique to BlackLight so by using both products together you'll be getting excellent overall detection. RootkitRevealer is however, harder to use than BlackLight and is a bit prone to false positives so take care before deleting detected items. If in doubt, consult the SysInternals RootkitRevealer forum. [3]

Another useful rootkit detector for experienced users is GMER [4] though please read the documentation carefully before using. If you are the type that simply likes to press the "scan" button then stick with BlackLight ;>)

Currently one of the biggest guns in the rootkit detection war is a free Chinese product called IceSword. It's not really a detector like the other products rather it offers a set tools that can help reveal the presence of a rootkit. These tools include a special process viewer, startup manager and port enumerator that are not fooled by rootkits. It's left to the user though, to interpret the results. In the hands of an skilled user, its an amazing tool but not much use to beginners. The Chinese download site is very slow but Major Geeks has a local download link [5].

The reality is that at the present time full protection against rootkits may require the use of multiple products. For details see my article on rootkits [6].


[1] http://www.f-secure.com/blacklight/ Free beta, Windows 2000 and later, 818KB
[2] http://www.sysinternals.com/Utilities/RootkitRevealer.html Freeware, All Windows versions, 207KB
[3] http://www.sysinternals.com/Forum/default.asp
[4] http://www.gmer.net/ Freeware, Windows NT and later, 280KB
[5] http://majorgeeks.com/Icesword_d5199.html Freeware, Windows XP and later, 1.9MB
[6] http://www.techsupportalert.com/rootkits.htm <= How to deal with the threat of rootkits

No comments: