Rooting Out Rootkits
One critical aspect of systems building is staying on top of security threats. Another is having the best detection tools available to keep those threats at bay. The last thing you need is to deliver an infected Windows system to a customer.
One of the newest threats in the wild is called a "rootkit." While a rootkit by itself causes no damage, it attempts to hide the presence of other malware, such as key-logging Trojans, viruses and worms.
Some modern viruses incorporate rootkits into their code libraries to take advantage of their ability to remain hidden and elude detection. Rootkits often include components to open back doors on systems by incorporating stealthy remote-access software. Also, rootkits can insinuate themselves into an operating system's core components, so they run as part of the kernel with the same unlimited rights and privileges typically granted to such code.
But what make rootkits truly insidious is that typical antivirus and antispyware packages have great difficulty identifying them. That's because a rootkit can establish itself as part of the Windows bootup code, an area frequently unchecked by detection programs.
To make matters worse, there aren't any automated cleanup tools available--at least for now--that can remove a rootkit once it takes up residence on a PC. And, to date, none of the major security suites offer a rootkit-detection tool, though F-Secure plans to include a rootkit-detection tool called BlackLight in its forthcoming Internet Security 2006 suite. (A free beta version of this tool is available until Jan. 1, 2006, at the BlackLight beta page: www.f-secure.com/blacklight.)
However, in my opinion, RootkitRevealer from Sysinternals Freeware and Winternals Software makes a better choice for systems-builder security toolkits, not only because it's free, but because the Sysinternals RootkitRevealer page offers up-to-date information and a populated forum (www.sysinternals.com /Utilities/RootkitRevealer.html).
To use RootkitRevealer, you'll need a PC running 32-bit Windows (Windows NT or newer versions) and an Internet connection. RootkitRevealer comes in a 182-KB zip file, so any speed connection will do. No installer is required to use this software. Simply unzip the archive, and then extract the files into a well-chosen target directory. The program (rootkitrevealer.exe) is ready to use:
- Open Internet Explorer and navigate to RootkitRevealer's home directory.
- Double-click the file named rootkitrevealer.exe to launch the program.
- Remove all CDs and DVDs. RootkitRevealer checks any drives it can find. For now, we want to check only the system's hard drive. Also, close all other applications while running the scan, and don't use the system for any other work until the scan is complete.
- To get the tool working, click the Scan button. The program will report on its activities in the status line at the bottom of the window.
- Completion time for the scanning process varies. For example, a complete scan on an Athlon 64 X2 machine with three hard disks and a total of roughly 65 GB of data took nearly 10 minutes.
- Once the scan is complete, you'll get a report. Ideally, RootkitRevealer will report no discrepancies. But if it does, research any anomalies before concluding a system is running a rootkit. False positives are fairly common when using the RootkitRevealer tool, so be warned.
- Systems builders should make RootkitRevealer a standard part of their security toolkit. I've created weekly Task Scheduler jobs on all my machines to run RootkitRevealer as part of my ongoing security-maintenance routine.
- Ed Tittel is a freelance writer who specializes in markup languages, PCs and networking topics.