Slashdot Mirror

← Back to Stories (view on slashdot.org)

SysInternals Releases RootkitRevealer

Posted by ryuzaki0 on from the have-you-been-pwn3d-lately dept.

Brian writes "In the wake of news that Microsoft is developing prototype software to detect rootkits, SysInternals has released a free rootkit detection tool named RootkitRevealer for all Windows systems NT4+. RootkitRevealer works by "comparing the results of a system scan at the highest level with that at the lowest level," and detects every known rootkit at rootkit.com. They also report that it is impossible to know for sure that a given system is clean from within it, but that defeating their tool would require a level of sophistication not yet seen. You can download RootkitRevealer."

7 of 260 comments (clear)

  1. Paranoid? by DoChEx · · Score: 3, Interesting

    Is it just me or do other people think this is just part of the on going line of propaganda to undermine current technology and make people more open to the idea of Trusted Computing, formally know as Palladium??? I know the current software isn't perfect but you'll never have a completely safe system, so longer as the user operating it has system administrator privileges. Trusted computing or the solution to the above problem is to implement security access that even the owner of the system is deemed untrustworthy.

  2. Re:handy by arkanes · · Score: 3, Interesting

    Amusingly, large portions of MS software don't qualify for the "Designed for Windows" logo. Office springs immediately to mind - violates the HIG.

  3. For the Average User, Worthless by TheDoctorWho · · Score: 3, Interesting

    For the hacker, priceless. This really accomplishes so little. Sure, here are your 'descreprancies', but they might not be that at all. Mostly Pointless. A good step, but only something the hackers will get control of well before this becomes mainstream.

  4. Re:Like a partition? by Geek+of+Tech · · Score: 3, Interesting
    Nah. I'm waiting for one that converts the filesystem to an encrypted filesystem of its own, and makes all disk access go through itself first.

    No way will it let you remove itself. If you boot off of some sort of safe media and delete the thing, the computer no longer has the ability to read any of its data.

    Yeah, I know I messed up the jargon, but I'm sure I'll be corrected on that. :P

    --
    Stop the Slashdot effect! Don't read the articles!
  5. Re:Better solution. (mod parent up!) by cypherz · · Score: 3, Interesting

    VMware is a very good way to neuter Windows and minimize some of its bad behavior. I've been beating the crap out of my windows development environment for two years straight with no re-installs of windows. My windows environment is hosted by SuSE Linux. I have reverted to a snapshot a couple of times, at a cost of a couple of minutes of downtime. Saving the original install off to somewhere safe is easy (just copy the virtual machine's directory somewhere else).

    --
    This sig kills fascists.
  6. Re:Incompatible? by cnettel · · Score: 3, Interesting

    Possibly. But, what I was talking about is that some sysinternals tools overload/hook certain kernel calls. The system call tables are, IIRC, write protected even from kernel when the kernal has been loaded in the current/coming Win64 editions.

  7. Re:handy by stevenbdjr · · Score: 3, Interesting

    I don't know how your system is configured, but on my network all of my users run with non-privledged (read Users) accounts and can run Office 2000, XP, and 2003 just fine.