Anti-rootkit Windows Tools: Searching for the Hidden

Yesterday George Bakos, SANS ISC handler, posted an entry asking for tools for malware analysis and removal, something we are involved professionally, or personally with the family ;) Specially, we need to be ready for the holidays and have the incident handling jump bag (USB drive or CD) ready to go and cleanup all the computers around us. If you are interested, check the follow up by Kevin Liston on the SANS ISC handler's diary.

I was involved in some malware cleanup tasks this weekend, so I reviewed my toolkit. One set of tools that should be included in any jump bag are the anti-rootkit tools, given the amount of malware specimens that include rootkit capabilities today. The following list (alphabetically ordered) includes different FREE Windows tools provided by AV vendors or individuals for this specific purpose (we leave other OS (Linux, FreeBSD, etc) aside this time). The list contains the direct tool download link, the main tool web page and author, the current version (as 20/11/2007), and some other details:

• AntiRootkit (Avira) - v1.0.1.17 (Install required :( )
• Anti-Rootkit (AVG) - v1.1.0.42 (Install required :( )
• Anti-Rootkit (Panda) - v1.08.00
• File: PAVARK.EXE (745 KB)
  
• Anti-Rootkit (Sophos) - v1.3.1 (Free registration and install required :( ) .
• Hook Explorer (iDefense) - v (VB6 runtime required, GNU)
• Several files (EXE, DLL, etc)
  
• IceSword (PJF - USTC) - v1.22 (English)
• Several files (EXE, ICP, etc)
  
• BlackLight (F-Secure) - v2.2.1067.0
• File: fsbl.exe (895 KB)
  
• Rootkit Buster (TrendMicro) - v1.6.1060
• File: RootkitBuster.exe (805 KB)
  
• Rootkit Detective (McAfee) - v1.1
• File: Rootkit_Detective.exe (1,7 MB)
  
• RKDetector & IAT Scanner (Andrés Tarasco) - v2.0
• Files: Rkdetector2.exe (360 KB) & IATHooksAnalyzer.exe (260 KB)
  
• RootkitRevealer (Microsoft - Sysinternals) - v1.71
• File: RootkitRevealer.exe (334 KB)
  
• Rootkit Uncover (Bitdefender) - v1.0 beta2 (Install required :( )

The beauty of most of them (unless otherwise noted) is that they do not require any installation. They are single executable files that can be run, with Administrator privileges, from a USB dongle or CD to identify anomalies in the system, such as hidden processes, network connections, files and directories, registry entries, kernel hooks, drivers, etc. Most of these tools are integrated on the respective vendor commercial AV tool.

Rootkits are one of the most complex and advanced malicious software components today, so the tools are mainly focused on the identification phase. The successful removal of a (kernel) rootkit from a system is often a really complex task. For this same reason, you also need to familiarize yourself with the tools output, as it is common to get a few false positives from legitimate artifacts running inside Windows.

Get ready for the holidays! Download all (or a few of) them now, and include these tools on your jump bag. It is highly recommended to run at least 2-3 of these tools to compare the results, trying to find glitches in The Matrix. More information and tools about anti-rootkit technologies are available at antirootkit.com.

I've always been a great fan of rootkit and anti-rootkit technologies, publishing documents about Linux kernel rootkits and rootkits from a defensive perspective. If anyone (magazine, company, vendor, etc) is interested on getting me involved in the in-depth analysis and comparison of all (of several) of the above anti-rootkit products/technologies, let me know (raul DOT siles AT gmail DOT com).