SysInternals Releases RootkitRevealer 260
Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."
Sysinternals is great (Score:5, Informative)
No really, they have class utilities for free, thanks Sysinternals
If you run linux (Score:5, Informative)
Re:A level of sophistication? (Score:5, Informative)
Re:So this is... (Score:4, Informative)
RootKitRevealer doesn't change any results of API calls at all.
RootKits are a fairly precisely-defined thing, I don't think there's as much grey area here as you think there is.
Re:If you run linux (Score:4, Informative)
"chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64 and BSDI."
Re:Call to arms (Score:3, Informative)
Re:Strange... (Score:5, Informative)
Re:If you run linux (Score:5, Informative)
Microsoft BSA (Score:5, Informative)
Re:Um (Score:1, Informative)
The point of a rootkit is to subvert the system at such a deep level that tools like tripwire are fooled.
Re:About the software (Score:4, Informative)
Short answer - no. It will flag stuff that is hidden from the Native Windows API but not everything that's hidden is bad.
It's kind of a moot point anyway. If you find that you've been rootkitted you shouldn't try and clean it. You should reach for your original install media and start over.
Alternatively, take off and nuke the site from orbit. Apparently it's the only way to be sure.
Simple, really (Score:5, Informative)
Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?
The entity/app/device known as a rootkit was first popularized (so to speak) as a way for the intruder to hide his tracks and maintain root access on a Unix machine. If rootkits had first become popular (again, so to speak) on Win32 machines they likely would have been called adminkit or similar.
In a general techspeak sense, though, (root == full access); most techies have at least a nodding acquaintance with Unix so the idea of root makes sense regardless of the OS in question.
The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again.
Re:Sysinternals is great (Score:2, Informative)
Sysinternals.com is a Good site (Score:5, Informative)
Here are some good tools of their that I use frequently
Autoruns
http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml [sysinternals.com] shows a complete list of programs that start up automatically when windows starts.
Filemon
http://www.sysinternals.com/ntw2k/source/filemon.s html [sysinternals.com] Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware.
Regmon
http://www.sysinternals.com/ntw2k/source/regmon.sh tml [sysinternals.com] Like filemon, but for registry access. Shows keys being read and created.
Pagedefrag
http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml [sysinternals.com] Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file.
Also many others here
http://www.sysinternals.com/ntw2k/utilities.shtml [sysinternals.com]
IMHO any windows admin should have this stuff installed. Many of the utils come with source code.
Re:A level of sophistication? (Score:2, Informative)
The problem is that Windows takes over completely - it switched into protected mode, overwrites all memory and generates its own interrupt vector table. Hiding from Windows wouldn't be too hard - you'd just hook the Bios to tell it not to use bits of memory when NTDETECT runs. The problem would be getting your code to run after Windows loads.
Actually, you could imagine a virus that virtualises the CPU (maybe with the Vanderpool stuff). That way you'd get called whenever Windows did some trappable operation like changing the page table. You'd wait until system structures has stabilised and then install your Api hooks.
It's non trivial though.
Re:How do you REMOVE a rootkit? (Score:5, Informative)
This irony here is that it's what you have to do to be 100% sure that no rootkits exists in ANY OS.
Re:Strange... (Score:2, Informative)
Re:Better solution. (Score:2, Informative)
Re:my office pc is infected = howto remove? (Score:4, Informative)
Seriously though, at least two of those are listed in the article as being fine. Looking over the list, I don't see anything suspicious, and I have many of the same things listed for my system. Although if I'm reading that third line right, you have 9 GBs of bad clusters. You might want to scandisk.
Re:Strange... (Score:2, Informative)
Re:An argument in favor of NTFS (Score:2, Informative)
Most people who run XP don't use a bootmanager, so the mere presence of one should be enough to ask the user why it's there, with the default action to disable it by installing the standard MBR / bootsector.
Oh, and microsoft kernel mode binaries are public key signed since windows 2000, so you don't need MD5/SHA - you can see if they are haxored or not by checking the signature.
Interestingly enough, you can do Start->Run sigverif.exe on a live system. The problem with sigverif is that it dumbly scans the windows directory for all files, not just the critical ones - I get warnings on a bunch of dlls, because they came with ancient 3rd party software.
Signature verification is the way to check the files on a bootdisk like BartPE or WinPE, though it would be need to be a bit smarter than sigverif.
Your system is fine... (Score:5, Informative)
Not to mention that if you have a rootkit installed, you better be prepared to wipe your system clean and reinstall the OS, because otherwise there's no way of knowing if you have the whole thing removed.
Re:handy (Score:2, Informative)
Can you explain how it doesn't qualify? I think you may be confused: you mentioned non-compliance with the HIG, but the HIG isn't referenced at all from the "Designed for Windows XP" specification.
Take a look at the Designed for Windows XP Application Specification [microsoft.com] and let us know which bit you think Office doesn't comply with.
Re:I wonder how well this would work. (Score:3, Informative)
Stealth: ALL rootkits are stealth (hide their presence). That's the whole point of a rootkit.
Dead space: Rubbish, data in dead space is never executed. It would have to be bootstrapped by normally visible code which is detected in the usual ways.
Bad sector: See dead space
Virtual system: See stealth
All in all I'd say your post is somewhat overrated
Re:halting problem (Score:2, Informative)
Re:If you run linux (Score:2, Informative)
http://www.rootkit.nl/projects/rootkit_hunter.htm