New Rootkit Detectors Help Protect You and Your PC
Tuesday, June 20, 2006; 5:10 PM
By now you've heard about Windows rootkits--tools malware authors use to hide their evil creations from our antivirus or antispyware software. Because rootkits often hide dangerous viruses, Trojan horses, or spyware, detecting them is important.
Only a few rootkit-detection tools have received attention: the free RootkitRevealer from sysinternals.com , and F-Secure's ( BlackLight --freeware until September 1). But luckily for us, developers are working on a number of powerful, no-cost tools to detect rootkits.
One is IceSword, developed by a Chinese programmer who doesn't speak a word of English. Makers of rootkits consider it the toughest rootkit scanner. In fact, the creators of the Hacker Defender rootkit, one of the most widely used tools among the bad guys out there, made it their goal to defeat IceSword. So far, they've failed. Download an international version that has English dialog boxes and controls here . (Note: IceSword comes compressed in the RAR format, so you may also need to download the WinRAR utility from rarlabs.com before you can use it.)
Another scanner that can find many of the most stubborn rootkits is GMER ( www.gmer.net ), a freeware tool from Poland that has been described as a combination of RootkitRevealer and another key Sysinternals utility, Process Explorer. The program can list running processes ( procesy in Polish), modules ( moduly ), and Windows services ( uslugi ), in addition to scanning for the presence of rootkits (click theRootkittab and then click the button labeledSzukajto start the scan).
Hook Explorer from iDefense can tell you if a file has hidden itself behind legitimate programs, sometimes fooling firewall software. A file hooked into the Windows program winlogon.exe, for example, could record your keystrokes as you type your system password, and if you tried to kill the winlogon program, you'd crash your system.
On her site, invisiblethings.org , security researcher Joanna Rutkowska has built an impressive library of command-line scanning utilities--programs with no graphical interface that look for changes to files or folders made by rootkits.
Some of these tools may lack the spit and polish of BlackLight, but it's heartening to know that at least as much research is going into defeating rootkits as into creating them.