Uncover Hidden Malware: RootkitRevealer
February 24, 2005
It’s getting ugly out there—I’ve talked to two XP users this week whose machine has caught “something”—in one case, the user gets steady advertisement popups whenever the machine is running, and in the other, the machine will just barely run, and times out all over the place.
But when they run all of the standard anti-spyware and anti-virus utilities, none of them find a thing. Or they find stuff, remove it, but two minutes later they’ve got something again.
Chances are that they’ve got one of the newer infestations that use a rootkit. A rootkit that burrows into the operating system and removes any traces of itself from the OS’s own process tracking mechanisms.
It’s getting ugly (well, uglier) out there…
Fortunately, Sysinternals has a new tool—RootKitRevealer—that will reveal most rootkits in Windows XP and Windows 2000. At least those using known mechanisms…
Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry’s on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume’s file system structures.
If you’ve got some stubborn malware, this may be worth a try…