Forgot your password?
typodupeerror

SysInternals Releases RootkitRevealer 260

Posted by CmdrTaco
from the have-you-been-pwn3d-lately dept.
Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."
This discussion has been archived. No new comments can be posted.

SysInternals Releases RootkitRevealer

Comments Filter:
  • Strange... (Score:5, Funny)

    by bigtallmofo (695287) on Wednesday February 23, 2005 @11:00AM (#11755236)
    Every time I try to go to www.sysinternals.com to find the new Rootkit removal application, my system shuts down automatically.

    Probably nothing to worry about.
  • by Dr.Opveter (806649) on Wednesday February 23, 2005 @11:01AM (#11755252)
    I love their stuff [sysinternals.com]

    No really, they have class utilities for free, thanks Sysinternals

    • by cnettel (836611) on Wednesday February 23, 2005 @11:09AM (#11755335)
      Agreed.

      One can note that Microsoft is stopping some kinds of hooking of individual kernel functions in the AMD64 release of XP. It's motivated by the fact that it won't break binary compatibility with existing code, as it would be broken anyway, and that it leads to sounder use of the API. It makes some rootkitting harder, and tools like regmon (not filemon, as it can hook as a filesystem filter driver). It doesn't make any of it impossible, though. It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent.

      • Incompatible? (Score:5, Insightful)

        by gr8_phk (621180) on Wednesday February 23, 2005 @11:34AM (#11755557)
        "It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent."

        I can see it now. The future Microsoft product (which might come free with the OS) will say this other tool is a rootkit and remove it. This area of security should be very interesting to watch.

        • Re:Incompatible? (Score:4, Interesting)

          by cnettel (836611) on Wednesday February 23, 2005 @01:04PM (#11756596)
          Possibly. But, what I was talking about is that some sysinternals tools overload/hook certain kernel calls. The system call tables are, IIRC, write protected even from kernel when the kernal has been loaded in the current/coming Win64 editions.
    • by gowen (141411)
      A screen saver that fakes Windows system crashes? xscreensaver has had one of those [brown.edu] for years. (It also simulates Linux and Solaris kernel dumps, Macintosh Bombs, Amiga Guru Meditations and others)
  • by Anonymous Coward on Wednesday February 23, 2005 @11:03AM (#11755275)

    Wow. Pop-up blocking, rootkit detection, basic network security... isn't it amazing how an enormous patent library and billions of dollars encourages so much innovation? It's like they're ten years ahead of everyone else.

    Wait... no, the other way around...

    Free Sony PSPs [tinyurl.com]. It's real. It's here.

  • Rootkit? (Score:5, Funny)

    by Fls'Zen (812215) on Wednesday February 23, 2005 @11:04AM (#11755286) Homepage
    I didn't think people needed rootkits for windows...
  • by JustNiz (692889) on Wednesday February 23, 2005 @11:05AM (#11755288)
    >> RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level,

    So this is a rootkit in itself.

    I don't know that I'd trust Microsoft anymore than anyone else running rootkits on my ststem.
    • Re:So this is... (Score:4, Informative)

      by interiot (50685) on Wednesday February 23, 2005 @11:11AM (#11755352) Homepage
      No... Rootkits CHANGE the results of system API calls for everything running on the system, to try to hide the fact that there are suspicious processes and files on your system.

      RootKitRevealer doesn't change any results of API calls at all.

      RootKits are a fairly precisely-defined thing, I don't think there's as much grey area here as you think there is.

  • handy (Score:5, Insightful)

    by diegocgteleline.es (653730) on Wednesday February 23, 2005 @11:05AM (#11755289)
    This will be interesting as soon as spyware starts using rootkits in windows.

    You know, Microsoft is securing (really) XP with the SP2, popups-blockers, restrictions on activex objects....which is great, but Microsoft has allowed a whole industry to grow - the spyware industry. There's lot of money there and they aren't going to stop so easily, they'll try other methods, and the fact that 99% of XP users runs with administrator privileges is too sexy, it allows you to reach the kernel, where you're god and you can bypass spyware/virus programs...(and if today's spyware is very poorly designed and can break your IE eve when they don't really wnat that, guess how systems will start to break if rootkits are started to use....)
    • Speaking of running as Administrator, or having to in some cases, did you ever see the docs that show the hoops you have to go through to run Visual Studio as a non-administrator non-Admin [microsoft.com]? While I cannot speak for Delphi 2005, Delphi 7 has this same problem to some extent. Sometimes it's a pain in the ass to not run as Administrator. That needs to be fixed.

      • It should also be noted that "fixing" this problem should not consist of granting higher rights to the User group.

        The "Designed for Windows XX" logo signifies (at least in the NT variants) that a program can be run by anyone in the User group. I read somewhere what this entails (not writing to certain portions of the registry comes to mind), but I'm sure someone will followup with that information.

        I can understand VS not running under the User group -- there's a need to develop for users who aren't going
        • Re:handy (Score:4, Interesting)

          by arkanes (521690) <arkanes@@@gmail...com> on Wednesday February 23, 2005 @11:37AM (#11755579) Homepage
          Amusingly, large portions of MS software don't qualify for the "Designed for Windows" logo. Office springs immediately to mind - violates the HIG.
          • Amusing, but utterly false.

            The Microsoft Catalogue lists products which meet the "designed for" standards. This search [microsoft.com] should find Office 2003, note the "Designed For" logo to the right. You can do similar searches for other products (I checked Office XP) - everything I looked up was certified.
            • I didn't say they didn't brand it, I said it didn't qualify. It's not especially suprising, MS is hardly rigid about compliance with the logo, at least with it's big business partners. Apple is the same way, except they actually change the HIG everytime they decide to violate it (the creep of the "allowed" scope of brushed metal being the most obvious).
          • Re:handy (Score:4, Interesting)

            by stevenbdjr (539653) <steven@mrchuckles.net> on Wednesday February 23, 2005 @01:57PM (#11757195) Homepage
            I don't know how your system is configured, but on my network all of my users run with non-privledged (read Users) accounts and can run Office 2000, XP, and 2003 just fine.
    • I think it's a good thing. While the system should've been secure in the first place, it is better that the system gets a trial by fire against (relatively) benign nuisance spyware programs than they go undetected until something really destructive comes along.

      think of spyware as the common cold- ever evolving, practically undefeatable, but essentially just a periodic nuisance that keeps the immune system on its toes...
    • Re:handy (Score:3, Insightful)

      by Tim C (15259)
      The real problem isn't people running as adminstrator; I do so at work and at home with no problems. The problem is naive computer users who run/install content from untrsuted sources, don't run (up to date) AV software, don't use a firewall, etc.

      Even a system with zero exploits will not be safe from an incautious/careless user with the admin password. Even if all IE, ActiveX, etc holes are plugged, malware will still be installed piggy-backing on or masquerading as legitimate software installations.

      MS ha
    • Its really the developers I think at fault now.. how many programs just refuse to run as non-admin? There are quite a few, and I don't think any of those are MS (short of needing to install something).

      Seriously, how do you expect to be able to run as non-admin when something as simple as The Sims needs to be admin so it can download the latest patches (which are released about once a week or so)?
  • by Apiakun (589521) <tikora AT gmail DOT com> on Wednesday February 23, 2005 @11:06AM (#11755301)
    defeating their tool would require a level of sophistication not yet seen

    What, until tomorrow?
    • They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen.

      Now that's some interesting circular logic.

      "We haven't seen the kind of rootkit that we wouldn't be able to detect. Therefore such a rootkit does not exist. QED."

      -Adam
  • If you run linux (Score:5, Informative)

    by Apreche (239272) on Wednesday February 23, 2005 @11:06AM (#11755307) Homepage Journal
    If you run linux you can use chkrootkit [chkrootkit.org]
  • LOL (Score:2, Funny)

    by http101 (522275)
    "RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com."

    So its kinda like telling my computer to turn its head and cough, right? *squeeze*
  • ...and goes by the alias "SysInternals".

    Forget the vatican and mecca, point your browsers to http://www.sysinternals.com and pay homage.
  • About the software (Score:2, Interesting)

    by JordanAU (855885)
    I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds?? In other words is it foolproof?? I'm sorry that was a bad question. How foolproof is it??
    • by Anonymous Coward on Wednesday February 23, 2005 @11:38AM (#11755588)
      I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds??

      Short answer - no. It will flag stuff that is hidden from the Native Windows API but not everything that's hidden is bad.

      It's kind of a moot point anyway. If you find that you've been rootkitted you shouldn't try and clean it. You should reach for your original install media and start over.

      Alternatively, take off and nuke the site from orbit. Apparently it's the only way to be sure.
    • In your case, the answer is simple: don't use this software, it's not for you. It's a tool for skilled admins, not a point & click "removal" tool like Spybot.
  • If you detect my rootkit, I will become more powerful than you can possibly imagine.

    This really does feel like raising the stakes (or poking a bear with one, regardless).

    Unavoidable, I suppose. <sigh>
  • Just waiting for a root kit that fdisks, makes a partition at the end, and hides there. Would standard MBR scans catch that?
    • It still has to modify system files to do anything.
    • Re:Like a partition? (Score:4, Interesting)

      by Geek of Tech (678002) on Wednesday February 23, 2005 @12:16PM (#11755991) Homepage Journal
      Nah. I'm waiting for one that converts the filesystem to an encrypted filesystem of its own, and makes all disk access go through itself first.

      No way will it let you remove itself. If you boot off of some sort of safe media and delete the thing, the computer no longer has the ability to read any of its data.

      Yeah, I know I messed up the jargon, but I'm sure I'll be corrected on that. :P

      • So basically, you're waiting for a boot sector virus of old. There were a few that did exactly that. Booting off of safe media alone would render the drive unreadable.

        Of course, it sounds like you're referring to one running under windows, which means at least part of the filesystem would need to be unencrypted for windows to be able to load and then load the virus drivers (well, unless the virus could somehow place its own load before windows... but I'm not sure how feasible that would be). So otherw
    • by Technician (215283)
      Would standard MBR scans catch that?


      It would be hard to hide from any Linux Live CD's. You boot a read only file system (not modifiable by a bug), load a trusted application (FDISK or Disk Druid) and check the partition table. Not much can hide from a scan from a non-compromised OS.
  • Microsoft BSA (Score:5, Informative)

    by TheFlyingGoat (161967) on Wednesday February 23, 2005 @11:19AM (#11755415) Homepage Journal
    While you're at it, download the Microsoft Baseline Security Tool [microsoft.com]. It's not quite the same, but it's an excellent tool for anyone looking to make their Windows box more secure. It can also scan computers on your network (that you have rights on), so you can easily find all the Windows boxes on your network that aren't up to date on their patches, have Guest accounts enabled, or other bad things.
  • Funny enough, when I tried to run RootKit Revealer, I got the 'Root kit detection utility has encountered a problem and needs to close. We are sorry for the inconvenience.' Error. Not that that's suspicious, or anything like that...
  • how about a live cd? (Score:2, Interesting)

    by zerkon (838861)
    waiting for the whoppix project to produce a livecd distro I can just pop in...
  • Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?
    • by tverbeek (457094) on Wednesday February 23, 2005 @11:35AM (#11755562) Homepage
      Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

      For the same reason trackpads, wireless pointing devices, and such are called "mice", even though they look nothing like a mouse.... why solid state storage devices are called "flash disks" or "flash drives", even though there's nothing flat and circular in them and no moving parts... why the stuff in the middle of pencils is called the "lead", even though it's mostly graphite... why magazines featuring stories told with sequential art are called "comic books", even though they're usually not humorous.

    • Simple, really (Score:5, Informative)

      by sczimme (603413) on Wednesday February 23, 2005 @11:40AM (#11755604)

      Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

      The entity/app/device known as a rootkit was first popularized (so to speak) as a way for the intruder to hide his tracks and maintain root access on a Unix machine. If rootkits had first become popular (again, so to speak) on Win32 machines they likely would have been called adminkit or similar.

      In a general techspeak sense, though, (root == full access); most techies have at least a nodding acquaintance with Unix so the idea of root makes sense regardless of the OS in question.

      The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again.
      • "The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again."

        That's more optimistic than cynical. It means that security is improving when the black hats have to step it up a notch.
    • Because "rootkit" sounds cool, like a plumber's tool or some sort of kinky sexual practice.
    • The real superuser is actually called SYSTEM.
  • Reputation Counts (Score:5, Insightful)

    by Ridgelift (228977) on Wednesday February 23, 2005 @11:26AM (#11755485)
    Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals" [sysinternals.com]. They put their name on everything they give away and sell.

    When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS [sysinternals.com] have saved my butt in the field.

    Way to go Sysinternals.
    • "They put their name on everything they give away and sell."

      Yeah, but do we really need to be reminded of their name each time you use one of their commands? There must be some book somewhere that someone at Microsoft wrote that defines how to write command-line utilities in the most annoying method possible.

      Agreed that Sysinternals does provide useful utilities, but I think what's being overlooked is that it's left to someone else to provide the basic (rudimentary, actually) toolset Microsoft seems conge
    • Unfortunately, if microsoft released a rootkit detection tool they would leverage their os to gain market share for their rootkit detection tool until such time as their competitors stopped producing competing tools, then the microsoft rootkit detection tool would stagnate.
      Also, with a single dominant detection tool out there, it would make the lives of rootkit authors much easier since they'd only need to test their kit against one tool and make sure that tool couldn't detect it.
  • Ok. So I ran the utility and got 33 discrepancies. Some look like they are probably default MS stuff (as described on the sysinternals site). But not all. But how do I tell what those other things are? Are they a rootkit, or just a normal part of Windows?
  • Paranoid? (Score:3, Interesting)

    by DoChEx (558465) on Wednesday February 23, 2005 @11:30AM (#11755514)
    Is it just me or do other people think this is just part of the on going line of propaganda to undermine current technology and make people more open to the idea of Trusted Computing, formally know as Palladium??? I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges. Trusted computing or the solution to the above problem is to implement security access that even the owner of the system is deemed untrustworthy.
    • >I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges.

      So don't give users root access. You don't need some sort of hardware DRM crap to do that.

      >you'll never have a completely safe system ...period. No need to add conditions to that.

      Why would shifting more responsibility onto a vendor that's legendary for shipping buggy, insecure software make the system more secure?
  • But Crucial Security has a tool called Crucial ADS which scans for alternative data streams in NTFS volumes. http://www.crucialsecurity.com/downloads.html
  • by scovetta (632629) on Wednesday February 23, 2005 @11:49AM (#11755710) Homepage
    Google and Sysinternals are the only two companies that always make me feel good about being a Computer Scientist.

    If I were Google, I'd buy Sysinternals and have them help build GoogleOS.
  • by tristanj (797805) on Wednesday February 23, 2005 @11:52AM (#11755734)
    Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

    Here are some good tools of their that I use frequently

    Autoruns

    http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml [sysinternals.com] shows a complete list of programs that start up automatically when windows starts. Filemon

    http://www.sysinternals.com/ntw2k/source/filemon.s html [sysinternals.com] Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

    http://www.sysinternals.com/ntw2k/source/regmon.sh tml [sysinternals.com] Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

    http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml [sysinternals.com] Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

    http://www.sysinternals.com/ntw2k/utilities.shtml [sysinternals.com]

    IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

  • by Eric_Cartman_South_P (594330) on Wednesday February 23, 2005 @11:52AM (#11755743)
    This is good and all, but how do you remove a Rootkit if it finds one?
  • by TheDoctorWho (858166) on Wednesday February 23, 2005 @12:06PM (#11755886)
    For the hacker, priceless. This really accomplishes so little. Sure, here are your 'descreprancies', but they might not be that at all. Mostly Pointless. A good step, but only something the hackers will get control of well before this becomes mainstream.
  • I'd want to test it against the following scenarios, before I'd have much confidence:
    • Polymorphic viruses/rotkits (work by having self-modifying and/or self-encrypting code)
    • Stealth viruses/rootkits (work by intercepting syscalls and reads, making it appear that the values are normal)
    • Dead-Space viruses/rootkits (dead-space exists because file boundaries aren't the same as sector boundaries or (for FAT-based systems) the same as cluster boundaries - this memory is free to use by viruses, but would be inv
    • Polymorphic: Useless because the scanner would check for the original binaries. If the checksum doesn't match a know good list -> alert. Viruses don't bother with polymorphism anymore since scanner manufacturers defeat these schemes easily these days.

      Stealth: ALL rootkits are stealth (hide their presence). That's the whole point of a rootkit.

      Dead space: Rubbish, data in dead space is never executed. It would have to be bootstrapped by normally visible code which is detected in the usual ways.

      Bad secto
  • by os2fan (254461) on Wednesday February 23, 2005 @07:09PM (#11760633) Homepage

    Root

    In australia, root has several meanings, not at all nice. The sense is similar to f**k.

    • to have sex for the animal pleasure
    • to stuff up

    Accordingly something like root user has the connetation of one that roots your system.

    SysIntern RootKitRevealer

    I have a fairly typical multi-boot system, with two FAT16 partitions, a FAT32 partition, a reserved BeOS partition, a HPFS partition, and the usual swag of NTFS partitions.

    The disk has been showing signs of corruption [bad sectors], and a replacement is in hand: already bought, but there are some backup questions.

    RootRevealer had problems scanning registry. (i suspect one of the registristry hives is not well placed on the filesys). On the other hand, i ran the thing from BartPE, (it works), it revealed a whole swag of OS/2 binaries, but i don't know if OS/2 or Windows placed them there. They were meant to be there, by the way. Apart from the metadata files in each partition, there were error messages from non-accessable partitions (like F: (hpfs) and H: (unformatted = beos).)

  • memory hog (Score:3, Insightful)

    by v1x (528604) on Wednesday February 23, 2005 @07:33PM (#11760829) Homepage
    I suppose this program loads the entire system hives into the memory at the same time, but my task manager is showing this program using 89Mb RAM & 82Mb virtual memory right now while the scan is running.

    Now, if I had to defeat this detection utility, maybe all I need is something that monitors processes that use RAM in this fashion.

It is surely a great calamity for a human being to have no obsessions. - Robert Bly

Working...