Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection and removal is also expanding. This week, I give you a list of the standalone detection and removal tools that I know about.
The alphabetical list below can be a resource to help you add some useful tools to your security toolkit. As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good idea because not every tool can detect and remove every rootkit.
Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and IceSword, all of which are from entities that I'm familiar with and trust to some extent or other.
A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) look interesting, but I have no idea who the authors are, nor do their Web sites offer much information to lend insight. So although I included them in the list, definitely use your own discretion.
There are undoubtedly other related tools available that I'm not aware of; if you know of one, please send me an email with details. If you've tried one of the tools below, let me know about your experiences with it.
BitDefender RootkitUncover beta, from SoftWin
This tool is currently available as a free beta and looks promising, particularly because it's from SoftWin, makers of BitDefender.
http://download.bitdefender.com/windows/desktop/internet_security/beta/
DarkSpy, from DarkSpy Security Group
This tool is from a group of Chinese security researchers that I'm unfamiliar with. The download page for the tool says, "Use at your own risk," and you'd be wise to take that advice; however, it might give you a little comfort to know that this tool was recently mentioned in the SANS Internet Storm Center's Handler's Diary. Click the second URL under the Helios entry below to link to that mention.
http://www.fyyre.net/~cardmagic/index_en.html
F-Secure BlackLight
This is a standalone "trialware" tool, meaning that it periodically expires after a certain date--currently October 1. It's also a standard component of F-Secure's Internet Security 2006 package.
http://www.f-secure.com/blacklight/blacklight.html
GMER, from an unknown independent Polish developer
Although no information is readily available about who developed this tool, its Web site has several screenshots and some movies (in .wmv and .avi format) that show the tool in action. So you can get a good idea of what it's like before using it.
http://www.gmer.net
Helios, from MIEL e-Security
This is a new tool, currently in "alpha" development, that looks promising. For some good insight into Helios, go to the second URL below to read the SANS Handler's Diary entry for July 26, in which you can also see some screen shots of the tool in action. http://helios.miel-labs.com
http://isc.sans.org/diary.php?storyid=1487
IceSword, by Xfocus Team
IceSword has proven useful to many security administrators. Xfocus is a group of Chinese security researchers, and while the site is written in Chinese, you can use AltaVista's Babel Fish Translation engine (at the second URL below) to view it in English. You can also use Babel Fish to translate the Chinese documentation. http://www.xfocus.net/tools/200509
http://babelfish.altavista.com/babelfish/tr?trurl=http://www.xfocus.net/tools/200509/&lp=zt_en
RKDetector, by Miguel Tarasco Acuna
This toolkit comes in two parts: A file system analyzer and an Import Address Table (IAT) analyzer. The file system analyzer scans the file system and registry, and the IAT analyzer scans memory space for alterations that would allow rootkits to hook into the system. Screen shots are available to give you a good idea of what the tool looks like. http://www.rkdetector.com
RootKit Hook Analyzer, from Resplendence Software Projects
Although most rootkit detection tools look at kernel hooks, the file system, the registry, user accounts, and so on, this particular tool focuses exclusively on kernel hooks. http://www.resplendence.com/hookanalyzer
RootkitRevealer, from Sysinternals
A tool written by Mark Russinovich and Bryce Cogswell, two very well known Windows experts. http://www.sysinternals.com/Utilities/RootkitRevealer.html
Rootkit Unhooker, from UG North
Although I have no idea who UG North is, the tool looks promising. It checks for unwanted processes and system hooks and can help terminate such processes.
http://www.rkunhooker.narod.ru
Sophos Anti-Rootkit
This standalone tool offers both a GUI and a command line version and is similar to the antirootkit technology built into the Sophos Anti-Virus for Windows solution.
http://sophos.com/products/free-tools/sophos-anti-rootkit.html
System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska
These tools specifically look for hidden files and at various system components that might be modified by various rootkit techniques. Source code is included. Rutkowska is a well-known researcher. http://www.invisiblethings.org/tools.html
UnHackMe, from Greatis Software
While all the other listed tools are free, this tool is priced starting at $19.95 for a single license. You can view screen shots of the tool to see what it looks like and download a working demo if you're interested.
http://greatis.com/unhackme
Register
http://www.antirootkit.com/software/index.htm
cfrankb August 31, 2006 (Article Rating: