Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Rootkits revealed

Wednesday, February 23, 2005 Comments

 .NET  ArchitecturePatterns  Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

Daniele Muscetta (of Microsoft) posted a nice summary of some recent articles on Rootkits. He also included information on SysInternals' latest tool:

Also, Sysinternals has released today a Rootkit detector (looks like RootKits are finally getting a lot of attention these days...)

Nice tool. The RootKit Detector looks like it performs similar to GhostBuster, except without the CD reboot. It does a Windows API scan and then compares results to a file scan, all within the same OS session. While this is a good attempt to catch Rootkits, it can be argued it is not as ideal a solution as the CD reboot/offline scan found with GhostBuster. Here is an interesting blurb from the RootKit Detector's documentation:

Is there a sure-fire way to know of a rootkit's presence?

In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer can be compromised. While comparing an on-line scan of a system an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.

Unfortunately, the on-line/off-line method used by GhostBuster is not publically available from Microsoft Research (see Bruce Schneier's request for this). Hopefully we will have this kind of version available from someone soon.

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook