Slashdot Mirror

← Back to Stories (view on slashdot.org)

SysInternals Releases RootkitRevealer

Posted by ryuzaki0 on from the have-you-been-pwn3d-lately dept.

Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."

14 of 260 comments (clear)

  1. Sysinternals is great by Dr.Opveter · · Score: 5, Informative
    I love their stuff

    No really, they have class utilities for free, thanks Sysinternals

    --
    Sample this!
  2. If you run linux by Apreche · · Score: 5, Informative

    If you run linux you can use chkrootkit

    --
    The GeekNights podcast is going strong. Listen!
    1. Re:If you run linux by slavemowgli · · Score: 3, Informative

      You don't need to run Linux for chkrootkit. More or less any Un*x or Un*x-like OS will do fine:

      "chkrootkit has been tested on: Linux 2.0.x, 2.2.x, 2.4.x and 2.6.x, FreeBSD 2.2.x, 3.x, 4.x and 5.x, OpenBSD 2.x and 3.x., NetBSD 1.6.x, Solaris 2.5.1, 2.6, 8.0 and 9.0, HP-UX 11, Tru64 and BSDI."

      --
      quidquid latine dictum sit altum videtur.
    2. Re:If you run linux by Taladar · · Score: 4, Informative

      Don't forget to run it from a known-good live-cd, otherwise it won't do you much good since it is just a script that uses several system programs.

      --
      Linux is not Windows
  3. Re:A level of sophistication? by johndiii · · Score: 5, Informative

    As the sysinternals article suggests, boot from a known clean CD and do an "off-line" system scan. They make the point that it will never be possible to determine with absolute certainty that a system is clean from inside the system.

    --
    Floating face-down in a river of regret...and thoughts of you...
  4. Re:So this is... by interiot · · Score: 3, Informative
    No... Rootkits CHANGE the results of system API calls for everything running on the system, to try to hide the fact that there are suspicious processes and files on your system.

    RootKitRevealer doesn't change any results of API calls at all.

    RootKits are a fairly precisely-defined thing, I don't think there's as much grey area here as you think there is.

  5. Re:Strange... by SpinJaunt · · Score: 5, Informative
    If you are using Windows XP SP2 or Windows 2003 SP1, you'll need to turn off DEP (Data Execution Prevention) by editing your BOOT.INI and have change from
    /noexecute=optin
    to
    /noexecute=AlwaysOff
    http://msdn.microsoft.com/library/default.asp?url= /library/en-us/ddtools/hh/ddtools/BootIni_aff45176 -bd02-43cf-9895-c212fa392de2.xml.asp I had this problem with Daemon tools and Acohol 120%
    --
    /. is good for you.
  6. Microsoft BSA by TheFlyingGoat · · Score: 5, Informative

    While you're at it, download the Microsoft Baseline Security Tool. It's not quite the same, but it's an excellent tool for anyone looking to make their Windows box more secure. It can also scan computers on your network (that you have rights on), so you can easily find all the Windows boxes on your network that aren't up to date on their patches, have Guest accounts enabled, or other bad things.

    --
    You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
  7. Re:About the software by Anonymous Coward · · Score: 4, Informative

    I don't know anything about rootkits, or this software, is it safe to delete everything it detects or is this for people that know exactly what they are looking for and you only delete a couple of things it finds??

    Short answer - no. It will flag stuff that is hidden from the Native Windows API but not everything that's hidden is bad.

    It's kind of a moot point anyway. If you find that you've been rootkitted you shouldn't try and clean it. You should reach for your original install media and start over.

    Alternatively, take off and nuke the site from orbit. Apparently it's the only way to be sure.

  8. Simple, really by sczimme · · Score: 4, Informative


    Why are they called rootkits in windows, when the superuser is called "administrator" and not "root"?

    The entity/app/device known as a rootkit was first popularized (so to speak) as a way for the intruder to hide his tracks and maintain root access on a Unix machine. If rootkits had first become popular (again, so to speak) on Win32 machines they likely would have been called adminkit or similar.

    In a general techspeak sense, though, (root == full access); most techies have at least a nodding acquaintance with Unix so the idea of root makes sense regardless of the OS in question.

    The cynical part of me would like to mention that in years past there really wasn't much need for rootkits on Win32 machines: if the intruder wanted to keep privileged access it would be relatively simple matter to acquire it again.

    --
    I want to drag this out as long as possible. Bring me my protractor.
  9. Sysinternals.com is a Good site by tristanj · · Score: 5, Informative
    Sysinternals has been around a while. These guys really know their stuff when it comes to Windows operating systems.

    Here are some good tools of their that I use frequently

    Autoruns

    http://www.sysinternals.com/ntw2k/freeware/autorun s.shtml shows a complete list of programs that start up automatically when windows starts. Filemon

    http://www.sysinternals.com/ntw2k/source/filemon.s html Filemon shows all filesystem access, so you can see which files programs are accessing. I have found it very useful in diagnosing software problems and fighting spyware. Regmon

    http://www.sysinternals.com/ntw2k/source/regmon.sh tml Like filemon, but for registry access. Shows keys being read and created. Pagedefrag

    http://www.sysinternals.com/ntw2k/freeware/pagedef rag.shtml Defrags the registry hive (most of the registry is stored on disk but is not typically defragmented by many tools) and paging file. Also many others here

    http://www.sysinternals.com/ntw2k/utilities.shtml

    IMHO any windows admin should have this stuff installed. Many of the utils come with source code.

  10. Re:How do you REMOVE a rootkit? by denis-The-menace · · Score: 4, Informative

    Just use MS SOP to fix 99% of problems: Re-install

    This irony here is that it's what you have to do to be 100% sure that no rootkits exists in ANY OS.

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
  11. Re:my office pc is infected = howto remove? by erlenic · · Score: 4, Informative
    The only way to remove a root kit is to format the drive and reinstall the OS. Have fun!

    Seriously though, at least two of those are listed in the article as being fine. Looking over the list, I don't see anything suspicious, and I have many of the same things listed for my system. Although if I'm reading that third line right, you have 9 GBs of bad clusters. You might want to scandisk.

  12. Your system is fine... by Leadhyena · · Score: 5, Informative
    There is nothing wrong with your system. In the .chm file provided with the RootkitRevealer it explains:
    Hidden from Windows API discrepancies are the ones exhibited by most rootkits, however you should expect to see a number of such entries on any NTFS volume since NTFS hides its metada files, such as $MFT and $Secure, from the Windows API. In addition, there are a number of Registry keys that are inaccessible from the Windows API and will report as access-denied discrepancies.
    This explains all of the listed entries except for the last one(the $BADCLUS entry is due to missing clusters, like the previous poster said, and you need to do a scandisk). Your last entry is there because you had Firefox open when you ran the scan. Again from the help file:
    Files or Registry data created after a scan starts will also show up as discrepancies, so run RootkitRevealer on an idle system.
    You're fine, although your reaction will be similar to many other users who will see the same thing and freak out similarly, because they don't understand NT internals... I think this is not a good tool to release to the masses, and should only be used by sysadmins, just like how HijackThis is really good for detecting spyware, but only to someone who knows something about Windows systems.

    Not to mention that if you have a rootkit installed, you better be prepared to wipe your system clean and reinstall the OS, because otherwise there's no way of knowing if you have the whole thing removed.