Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

New Tool Gives the Scoop on Snoops
PCWorld ^ | March 01, 2005 | Andrew Brandt

Posted on 03/01/2005 1:56:51 PM PST by holymoly

Free utility can reveal rootkits, hidden software used by hackers and crooks.

Computer users have yet another tool they can use to find out if stealthy malware--such as a hidden virus, Trojan horse, or spyware application--has found its way onto their PC. The tool, called RootkitRevealer, permits Windows users to scan a computer for the telltale presence of certain kinds of malicious software. Advertisement

That type of software, known in the security industry as a rootkit, "is a technology that's used by malware--viruses or trojans--to actively hide themselves," says RootkitRevealer's co-creator, Mark Russinovich. Rootkits can also help hackers gain greater control of an already-compromised computer.

Rootkits are more common in the world of Linux and UNIX-based computers. So called because they help a hacker gain or maintain root access (the highest level of administrative privileges) to a computer, several Windows-specific rootkits have appeared online in the past couple of years. They tend to be bundled with the most dangerous kinds of malware, such as keystroke-logging tools that steal passwords.

Strengths and Limitations

Rootkits themselves are merely a means to an end; by hiding components of a Trojan horse application, for instance, a rootkit can help the malware evade detection by traditional antivirus scanners. RootkitRevealer can detect the presence of several common rootkits for Windows computers running NT, 2000, or XP--but not 95, 98, or Windows Me.

RootkitRevealer does have some limitations. In order to use it effectively, the user must understand how to evaluate the information it provides.

The program also cannot remove or "quarantine" rootkits it finds, and it cannot definitively tell you whether a file it finds is, in fact, part of a rootkit. If you find something that shouldn't be there and your antivirus program can't remove it, says Russinovich, "the correct response is to repave."

"That's IT terminology for completely scrubbing the machine," he explains. "You have to format the drive, completely wiping out all the data, and reinstall Windows."

Your First Rootkit Scan

The program is free to download from Russinovich's Web site, Sysinternals. There's no installation process; simply unzip the files and run the RootkitRevealer.exe application.

There are a few caveats you should know before you run your first scan with the program. The first is that while RootkitRevealer is running, you shouldn't do anything at all with the PC. Put down the mouse, back away slowly, and let the program do its work.

You should also turn off any program that might activate during the scan, such as a screensaver, an antivirus tool, or any other running program. Switching focus to another program, or allowing other programs to activate during the scan, won't cause your system to crash, but doing so may cause the RootkitRevealer program to display inaccurate or misleading results.

So turn off all other programs, open RootkitRevealer, click the Scan button in the lower left corner of the application's window, and sit back and watch.

Evaluating the Results

Almost as soon as you begin the scan, you'll see some results. When the program completes its scans, the Scan button (which changes its label to Abort during the scan) will change its name back to Scan. The bottom of the window will also tell you how many "discrepancies" were found in the scan.

RootkitRevealer always creates a list of NTFS metadata files for each hard drive partition. These files are created as part of the normal functioning of Windows, and don't necessarily indicate the presence of a rootkit. Several of the discrepancies are completely benign. For instance, the first 10 to 20 results will look like Registry keys, but will have the word "Access denied" next to them (see screen shot at left). These are normal results and appear on every computer, whether or not a rootkit is present. They do not indicate the presence of problematic files.

RootkitRevealer initially displays a list of inaccessible Registry keys. These are usually benign entries, and don't indicate the presence of a rootkit. Following the "Access denied" entries, you'll see a list of what look like Windows folder names that begin with a dollar sign (see screen shot at right). Russinovich says these files (he calls them NTFS metadata files) are a normal part of Windows' NTFS file system, and both the number and names of the files vary from system to system. For each drive partition on your computer, the program will compile a list of these NTFS metadata files. These also appear on every computer, whether or not there's a rootkit present.

If you see other files that carry a description of "Hidden from Windows API," however, that could be cause for concern. These files might be located in a temporary folder, the Windows folder, or elsewhere on the hard drive. If you see some of these files, you should try to navigate to their location(s) using Windows Explorer, and simply look to see if you can see them there. If you can't see the files using Explorer, that could indicate the presence of file-hiding software. But it's not a smoking gun.

If, for instance, you run Internet Explorer and visit a Web site during the scan, RootkitRevealer may report any files the browser stores in its cache as "discrepancies"--even though those files may not be harmful in any way.

And he adds, some legitimate programs use file-hiding techniques as part of their normal operation. Russinovich says users of the program have reported that Kaspersky Antivirus, in particular, generates thousands of false-positive results.

Programs, documents, and temporary files should not be invisible to the operating system. If any of these kinds of files show up in RootkitRevealer's scan results, it may indicate the presence of an installed rootkit. But programs whose filenames appear as long strings of seemingly random letters and numbers are more troubling results (see screen shot). If you see such files, Russinovich recommends that you update your antivirus software, then run the most detailed possible virus scan you can.

The tool is still in its infancy, and may have bugs, so Russinovich recommends that, if you're not sure whether a file is associated with a rootkit, you should search the Web and/or Usenet to do some research before taking the drastic step of blowing away your operating system and data.


TOPICS: News/Current Events
KEYWORDS: adware; lowqualitycrap; malware; rootkit; spyware; trojan; virus; worm
Navigation: use the links below to view more comments.
first previous 1-2021-32 last
To: holymoly

Just say no to Windows 9x.


21 posted on 03/01/2005 2:34:22 PM PST by Disambiguator
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro

Bump for a later read.


22 posted on 03/01/2005 2:34:45 PM PST by FormerLib (Kosova: "land stolen from Serbs and given to terrorist killers in a futile attempt to appease them.")
[ Post Reply | Private Reply | To 3 | View Replies]

To: holymoly

Not for amatuers.


23 posted on 03/01/2005 2:37:38 PM PST by PeterFinn (Why is it that people who know the least know it the loudest?)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

I wonder what all that means in human lingo?


24 posted on 03/01/2005 2:41:30 PM PST by processing please hold (Islam and Christianity do not mix ----9-11 taught us that)
[ Post Reply | Private Reply | To 1 | View Replies]

To: martin_fierro

Perhaps you could add Microsoft's AntiSpyware to your list. Its free for Windows users and is extremely good -- my experience (15 machines or so) is that its better than Spybot and AdAware combined.


25 posted on 03/01/2005 2:41:48 PM PST by TChris (Most people's capability for inference is severely overestimated)
[ Post Reply | Private Reply | To 3 | View Replies]

To: martin_fierro

Thanks for the links, these will come in handy.


26 posted on 03/01/2005 2:42:47 PM PST by Sergio (If a tree fell on a mime in the forest, would he make a sound?)
[ Post Reply | Private Reply | To 3 | View Replies]

To: PeterFinn
That definitely lets me out.
27 posted on 03/01/2005 2:43:10 PM PST by processing please hold (Islam and Christianity do not mix ----9-11 taught us that)
[ Post Reply | Private Reply | To 23 | View Replies]

To: Phsstpok

ping for later reading


28 posted on 03/01/2005 3:02:44 PM PST by Phsstpok ("When you don't know where you are, but you don't care, you're not lost, you're exploring.")
[ Post Reply | Private Reply | To 1 | View Replies]

To: potlatch

Ping


29 posted on 03/01/2005 4:16:20 PM PST by ntnychik (Proud member of the Bush-eoisie)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ntnychik

Thanks, a good page to bookmark!


30 posted on 03/02/2005 7:55:45 PM PST by potlatch (Always remember you're unique. Just like everyone else.)
[ Post Reply | Private Reply | To 29 | View Replies]


31 posted on 03/02/2005 8:03:47 PM PST by error99
[ Post Reply | Private Reply | To 1 | View Replies]

To: BigSkyFreeper

I've been using win 98 on an older computer for some time now. I have spysweeper and nothing else. So far....no problems!


32 posted on 03/02/2005 8:30:22 PM PST by TheLion
[ Post Reply | Private Reply | To 6 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-32 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson