Rooting Out Rootkits

One critical aspect of systems building is staying on top of security threats. Another is having the best detection tools available to keep those threats at bay. The last thing you need is to deliver an infected Windows system to a customer.

One of the newest threats in the wild is called a "rootkit." While a rootkit by itself causes no damage, it attempts to hide the presence of other malware, such as key-logging Trojans, viruses and worms.

Some modern viruses incorporate rootkits into their code libraries to take advantage of their ability to remain hidden and elude detection. Rootkits often include components to open back doors on systems by incorporating stealthy remote-access software. Also, rootkits can insinuate themselves into an operating system's core components, so they run as part of the kernel with the same unlimited rights and privileges typically granted to such code.

But what make rootkits truly insidious is that typical antivirus and antispyware packages have great difficulty identifying them. That's because a rootkit can establish itself as part of the Windows bootup code, an area frequently unchecked by detection programs.

id
unit-1659132512259
type
Sponsored post

To make matters worse, there aren't any automated cleanup tools available--at least for now--that can remove a rootkit once it takes up residence on a PC. And, to date, none of the major security suites offer a rootkit-detection tool, though F-Secure plans to include a rootkit-detection tool called BlackLight in its forthcoming Internet Security 2006 suite. (A free beta version of this tool is available until Jan. 1, 2006, at the BlackLight beta page: www.f-secure.com/blacklight.)

However, in my opinion, RootkitRevealer from Sysinternals Freeware and Winternals Software makes a better choice for systems-builder security toolkits, not only because it's free, but because the Sysinternals RootkitRevealer page offers up-to-date information and a populated forum (www.sysinternals.com /Utilities/RootkitRevealer.html).

To use RootkitRevealer, you'll need a PC running 32-bit Windows (Windows NT or newer versions) and an Internet connection. RootkitRevealer comes in a 182-KB zip file, so any speed connection will do. No installer is required to use this software. Simply unzip the archive, and then extract the files into a well-chosen target directory. The program (rootkitrevealer.exe) is ready to use: