Slashdot Mirror

← Back to Stories (view on slashdot.org)

SysInternals Releases RootkitRevealer

Posted by ryuzaki0 on from the have-you-been-pwn3d-lately dept.

Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."

18 of 260 comments (clear)

  1. handy by diegocgteleline.es · · Score: 5, Insightful

    This will be interesting as soon as spyware starts using rootkits in windows.

    You know, Microsoft is securing (really) XP with the SP2, popups-blockers, restrictions on activex objects....which is great, but Microsoft has allowed a whole industry to grow - the spyware industry. There's lot of money there and they aren't going to stop so easily, they'll try other methods, and the fact that 99% of XP users runs with administrator privileges is too sexy, it allows you to reach the kernel, where you're god and you can bypass spyware/virus programs...(and if today's spyware is very poorly designed and can break your IE eve when they don't really wnat that, guess how systems will start to break if rootkits are started to use....)

    1. Re:handy by Tim+C · · Score: 2, Insightful

      The real problem isn't people running as adminstrator; I do so at work and at home with no problems. The problem is naive computer users who run/install content from untrsuted sources, don't run (up to date) AV software, don't use a firewall, etc.

      Even a system with zero exploits will not be safe from an incautious/careless user with the admin password. Even if all IE, ActiveX, etc holes are plugged, malware will still be installed piggy-backing on or masquerading as legitimate software installations.

      MS hasn't allowed the industry to grow, they just gave it a nice, easy start in life. The crap would still have been developed without their inadvertant help.

      --
      It's official. Most of you are morons.
    2. Re:handy by skubeedooo · · Score: 2, Insightful

      I meant more in terms of privacy than persitancy. For example, if someone gets access to your bank details, you could become very poor very quickly. I'm not sure what bank policy is about this, but i imagine you are treading on thin ice. If one's home-made films stored on one's home computer got stolen, this could also causea big problem. There are lots of other important privacy things like this (unrelated to big-brother tinfoiling bullshit); i'm sure you can think of more.

  2. Re:A level of sophistication? by LiquidRaptor · · Score: 2, Insightful

    Yeah, but at the moment this is a BIG help for people, plus I'm sure that as new rootkits become availible they'll update this puppy. But it's not like linux doesn't have it's own rootkit detector http://sourceforge.net/projects/checkps/. Any server operating system is eventully going to have exploits if it's got any use, it's a fact of life, this tool helps find out if you got rooted, no more no less.

  3. Re:Rootkit? by slavemowgli · · Score: 5, Insightful

    Why not? The purpose of a rootkit is usually not so much to take over a box (trivial on a standard windows installation), but rather to hide the fact that such a take-over occured.

    --
    quidquid latine dictum sit altum videtur.
  4. Re:Sysinternals is great by cnettel · · Score: 4, Insightful
    Agreed.

    One can note that Microsoft is stopping some kinds of hooking of individual kernel functions in the AMD64 release of XP. It's motivated by the fact that it won't break binary compatibility with existing code, as it would be broken anyway, and that it leads to sounder use of the API. It makes some rootkitting harder, and tools like regmon (not filemon, as it can hook as a filesystem filter driver). It doesn't make any of it impossible, though. It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent.

  5. Re:If you run linux by nuclear305 · · Score: 1, Insightful

    Except this story has nothing to do with linux...I know it's hard to accept, but nice try!

  6. Rootkit Ben Kanobi says... by ScentCone · · Score: 1, Insightful

    If you detect my rootkit, I will become more powerful than you can possibly imagine.

    This really does feel like raising the stakes (or poking a bear with one, regardless).

    Unavoidable, I suppose. <sigh>

    --
    Don't disappoint your bird dog. Go to the range.
  7. Reputation Counts by Ridgelift · · Score: 5, Insightful

    Mark Russinovich and Bryce Cogswell have been providing invaluable tools for years. Even if Microsoft released a rootkit detection package tomorrow, I would still use sysinternal's over anything Microsoft provides because "there is no anonymous team of programmers or writers behind Sysinternals". They put their name on everything they give away and sell.

    When it comes to trust, people put their names on things they know are trustworthy. I can't count the number of times I've felt betrayed by Microsoft's products not doing what they're supposed to do, only to discover a flaw in their product that they knew about but didn't tell so as not to affect sales. I also can't count the number of times utilities such as NTFS for DOS have saved my butt in the field.

    Way to go Sysinternals.

    --
    Ruby on Rails Screencast
  8. Incompatible? by gr8_phk · · Score: 4, Insightful
    "It should really be noted that some of the low-level tools from sysinternals use very similar techniques to what a rootkit would do, just that they do it for monitoring and not with falsification of data as intent."

    I can see it now. The future Microsoft product (which might come free with the OS) will say this other tool is a rootkit and remove it. This area of security should be very interesting to watch.

  9. How do you REMOVE a rootkit? by Eric_Cartman_South_P · · Score: 3, Insightful

    This is good and all, but how do you remove a Rootkit if it finds one?

  10. Re:A level of sophistication? by Anonymous Coward · · Score: 2, Insightful

    What is to stop a rootkit from putting itself in the BIOS or the firmware of your hard drive or CD drive? How would you detect a rootkit living in the flash memory on your Nvidia card? I doubt most people are going to be desoldering chips to check for rootkits which is what would be required.

  11. Re:Like a partition? by Technician · · Score: 2, Insightful

    Would standard MBR scans catch that?

    It would be hard to hide from any Linux Live CD's. You boot a read only file system (not modifiable by a bug), load a trusted application (FDISK or Disk Druid) and check the partition table. Not much can hide from a scan from a non-compromised OS.

    --
    The truth shall set you free!
  12. I wonder how well this would work. by jd · · Score: 1, Insightful
    I'd want to test it against the following scenarios, before I'd have much confidence:


    • Polymorphic viruses/rotkits (work by having self-modifying and/or self-encrypting code)
    • Stealth viruses/rootkits (work by intercepting syscalls and reads, making it appear that the values are normal)
    • Dead-Space viruses/rootkits (dead-space exists because file boundaries aren't the same as sector boundaries or (for FAT-based systems) the same as cluster boundaries - this memory is free to use by viruses, but would be invisible to file-level operations)
    • Bad Sector viruses/rootkits (viruses where the loader is visible, but where the main body of the code is concealed from the OS by flagging the sectors as bad - the loader either ignores the flag or temporarily resets it to load in)
    • Virtual System viruses/rootkits (these would likely reside in Flash RAM and create a virtual machine any loaded software would run in - any rootkit checker that was loaded would still be running inside the virtual machine of the rootkit)


    Only the first two of these are known to exist in the wild. You might find the rest in a research lab, you might not. But these are certainly known technologies. They require no technique that isn't already known, understood and routinely used throughout the software industry. If viruses don't exist that use them, then it's just a matter of time.


    I would not trust a rootkit detector that can't handle known vulnerabilities, only known attacks. The attacks of yesterday aren't the problem. If you are getting a rootkit detector, you're concerned about the attacks of tomorrow, next week and probably next year.


    It could be that this rootkit scanner will do the job, but it has to prove it.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  13. halting problem by Anonymous Coward · · Score: 1, Insightful

    You're missing the big picture. Absolute certainty is impossible whether you're "inside" the system, or "off-line". A by-product of the halting problem is that you can't be certain what software does by automated analysis (ignoring trivial examples).

    The best you can do is find certain examples of malware or classes of it. This is the arms race that the virus scanners are in.

  14. Re:Call to arms by Phisbut · · Score: 2, Insightful
    Good idea, but i'm waiting for the first batch of viruses or whatever to disable this rootkit.

    Other than nothing that RootkitRevealer is not a rootkit itself, it's also nice to see that Sysinternals knows the weakness of their products, how it can be exploited, and how it is very very unlikely that it will be.

    It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.

    The complete opposite of security by obscurity. I like that.

    --
    After 3 days without programming, life becomes meaningless
    - The Tao of Programming
  15. uuh by Anonymous Coward · · Score: 1, Insightful

    "defeating their tool would require a level of sophistication not yet seen"

    Actually, defeating their tool would be trivial.

    1) Have rootkit scan processes.
    2) UhOh, rootkitrevealer.exe just popped up!
    3) Kill rootkitrevealer.exe (simple win32 function)
    4) Popup fake rootkitrevealer.exe
    5) fake rootkitrevealer.exe says you are all clean
    6) Profit!!

    Uhoh, no missing steps.
    So called security experts are nothing more than fraudsters and snake oil artists.

  16. memory hog by v1x · · Score: 2, Insightful

    I suppose this program loads the entire system hives into the memory at the same time, but my task manager is showing this program using 89Mb RAM & 82Mb virtual memory right now while the scan is running.

    Now, if I had to defeat this detection utility, maybe all I need is something that monitors processes that use RAM in this fashion.