Saturday, January 12, 2008

Anti-Rootkit Tools Roundup Revisited

It was just a year ago that I tried my hand at collecting useful Windows applications that could help scan a system to identify potential root-kits.

I encourage you to return to it and re-read it. The principles still remain.

  • Rootkits are bad...and can still be found being deployed using holes in unpatched systems.
  • Rootkits work their magic by (basically) hooking into the most basic levels of the system kernel so that normal attempts to find them fail as they are hidden and/or pass false data off to the requests.
  • Identification requires specialized software tools that work around those tricks, or booting "off-disk" with an alternative boot system from the target disk and then examining it "from the outside looking in," statically.

Rootkits are slowly making their way back into the geek-news circles with notice of a new (old) Master Boot Record (MBR) rootkit that has been slowly evolving from concept to in the wild deployments.

This post gives a great timeline of this particular item, from Proof of Concept (eEye) back in 2005 to release in late 2007 by attackers. GMER has a great writeup and comparison of it against the PoC version.

Generally, as the Handler's Diary posts, Windows users who are fully patched with their Microsoft Updates should be safe. If you aren't patched, you need to be.

So it was in this backdrop that I decided to revisit my pile of portable anti-rootkit tools to see which ones needed to be updated, if any new ones had been made, and update the list I keep for reference.

Beware of "fake" tools - especially hard when they take on the GUI of a trusted tool. I encourage you to verify your sources. Fake RootkitBuster Busted! - TrendLabs Malware Blog

Note: All products, unless otherwise noted, are freeware.

My Portable USB Anti-Rootkit Tools

Through trial and error, these are the anti-rootkit tools I have found which seemingly will run successfully off a USB drive. Others may also exist, but these are the ones I rely on the most (in alphabetical order).

  • AVG Anti-Rootkit Free Edition - Simple interface. Pretty speedy.

  • Bitdefender Rootkit Undercover - no longer found on the site. Linked to Major Geeks download pile site.

  • CatchMe Scanner - Userland rootkit detector from the GMER team.

  • F-Secure Blacklight - Restrictive wizard interface, but easy to use for the uninitiated.

  • DarkSpy- Chinese developed tool. Supports process, kernel mode, file, registry scan (disabled in test version) and hidden port detection. Screenshot via Antirootkit.com.

  • GMER - The tool that's got everyone in a fuss! Scans for hidden processes, services, files, registry keys, drivers, and hooks. Also allows some system function monitoring. Highly regarded by the antirootkit professionals. More screenshots (while the site is up).

  • Helios Lite - New product developed to be portable from the original Helios team.

  • HookExplorer - Tiny little application. Displays import address table (IAT) hijacks and "detour style hooks." Lots of information in the tiny display!

  • IceSword - Developed in China but nicely translated into English. Busy interface but updated often. Has some advanced tools like the ability to "reboot and monitor" during the boot process. More information over on the Anti-rootkit blog description page.

  • McAfee Rootkit Detective Beta - "McAfee Rootkit Detective Beta is a program designed and developed by McAfee Avert Labs to proactively detect and clean rootkits that are running on the system." Nice interface.

  • Panda Anti-Rootkit - See product guide - beta software. Looks at hidden drivers, processes, modules, files, registry items, hooks. Not a lot of user options...scan, clean, and view results. Download link/info page via antirootkit.com.

  • Rootkit Detector - Composed of both a file system module and an IAT Analysis Module

  • RootKit Hook Analyzer - Reports on any system hooks and modules and displays findings.

  • Rootkit Revealer -From the Sysinternal's team. Easy to use, but does often turn up documented false-positives. Just identifies suspicious processes...you are on your own to delete them with other methods and applications. Better for system checking and monitoring, rather than protection and removal in-of-itself.

  • Rootkit Unhooker - Link to page on antirootkit.com for download and info. Interestingly, this team has now joined Microsoft. Maybe their talents will get folded into the Sysinternal's Rootkit Revealer product.

  • SEEM - Multi-purpose system reporting tool that has an interesting interface. Includes a rootkit scanner as part of it's features. Website (translated from French) has quite a bit of good information on rootkits and as they apply to their program. Download page (kinda hard to find in French). Get the English version unless you know French.

  • Sophos Anti-Rootkit- "Sophos Anti-Rootkit provides an extra layer of detection, by safely and reliably detecting and removing any rootkit that might already have secreted itself onto your system." Note: Registration required for download from the vendor's site (or just get it from Major Geeks directly). The utility itself is free.

  • Trend Micro RootkitBuster - Runs scans in five system areas and exports a nice log file. You can then opt to remove the detected items.

Anti-Rootkit Blog's Vista-Compatible Anti-Rootkit List

Anti-Rootkit Blog posted a list of seven rootkit scanners they found will work well on Vista systems. They have nice screen shots as well.

    1. F-Secure Blacklight

    2. GMER

    3. Icesword

    4. Rootkit Hook Analyser

    5. Rootkit Revealer

    6. Rootkit Unhooker

    7. Unhackme

Additional Anti-Rootkit Tools that are still Kicking Around

I've cleaned up my old list to reflect products that have been retired or were now dead-links. These remain.

  • Gromozon, Rustock, Haxdor related removal tools - Specialized and targeted rootkit removal tool list via Antirootkit.com

  • Aries Sony Rootkit Remover - Tool to remove the Sony/BMG DRM CD protection software.

  • Archon Scanner - More of a process, injection, hooking scanner. But has other specialties as well. - current version was beta and has expired...developer's promise new one sometime.

  • Avira Rootkit Detection - Beta product disabled after 1-4-07. See Antirootkit.com's page for file.

  • Helios - Behavior-based, not signature based detection. Interesting interface and approach. Worth looking at. Requires .NET framework to be installed. Developers offer videos as well of their tool in action.

  • HiddenFinder - trialware - Shows hidden processes and drivers on a system and then allows for killing of the desired process.

  • Process Master - trialware - API comparison tool.

  • System Virginity Verifier - Tool developed by Joanna Rutkowska to validate system integrity by checking important Windows System components targeted by hidden malware. She also provides links to some related PowerPoint presentations.

  • Unhackme - trialware - limited to 10 runs until license purchased and entered - In standard, "Roaming" and "Professional" editions. University of Minnesota's Safe Computing page documents rootkit removal tutorial with Unhackme.

More Information for the Interested

I've copied this information from my last post, because these sources remain excellent reviews on rootkits and the professionals who study and defend against them.

Finally, these links provide more names and references for additional anti-rootkit tools. I haven't tracked down or tested many of them. Pursue at your own efforts and risks.

See you in the skies...
Claus

2 comments:

Anonymous said...

Wow. That is one of the most extensive list of Rootkit detection software i have seen.
I have always had the question floating in the back of my mind about the software in the area of security detection/ removal of parasitic elements. The idea that some of this software may in fact be installing parasites of one form or another, or even a Rootkit. If a rootkit does get in, then then can you really detect it with some of this rootkit detection / removal software. Any chance you could blog about this, or offer reply. Thanks

Anonymous said...

@ Anonymous - Thank you for the kind words. It was challenging, but fun to hunt it all down.

I keep a number of these tools on my USB stick, just in case....

It all comes down to trust. Certainly there are a number of fake anti-malware programs that pose as legitimate programs, but then present a false-positive alert, infect your system, and then ask you to pay them for a worthless tool to remove the "fake" threat, all the while leaving the real source of infection (theirs) on your system!

I can only offer two pieces of advice based on my own experience:

1) Do the research into ALL anti-rootkit/anti-malware programs yourself. Don't just take what I or any one person says. Put the tool's name in Google and do some searches. If it is a good tool, cream rises to the top. If not, it will become pretty clear. I think the tools listed here are legit, but as I am not a programmer, I can't dive into the code to independently verify that fact. Also, I only download them from the source/developer directly.

2) While I a quite happy and willing to remove viruses/trojans/malware from a system and feel comfortable with walking away from it "cleaned", I don't take the same approach to rootkits.

When I find evidence of a rootkit I ALWAYS recover the user-data to a USB drive, secure-wipe the entire drive(s) for that system, re-partition/format the drive fresh, then reload the system from a good image/setup disk.

I don't doubt that some/many of the tools listed here can successfully rid a system of a rootkit. However, in my approach, these tools are for identification of rootkit/rootkit-like behaviour on a system. Then based on that I wipe/restore the system.

It isn't so much that they are any more "dangerous" than any other malicious threat on a system, it's just that they hide better and deeper...thus making it a bit harder to ensure your cleaned system doesn't remain compromised.

That's my 2-cents anyway....

Better to wipe/restore then to always have a nagging worry about it being "really" clean again.

--Cheers!