New Tool Gives the Scoop on Snoops

Computer users have yet another tool they can use to find out if stealthy malware--such as a hidden virus, Trojan horse, or spyware application--has found its way onto their PC. The tool, called RootkitRevealer, permits Windows users to scan a computer for the telltale presence of certain kinds of malicious software.

That type of software, known in the security industry as a rootkit, "is a technology that's used by malware--viruses or trojans--to actively hide themselves," says RootkitRevealer's co-creator, Mark Russinovich. Rootkits can also help hackers gain greater control of an already-compromised computer.

Rootkits are more common in the world of Linux and UNIX-based computers. So called because they help a hacker gain or maintain root access (the highest level of administrative privileges) to a computer, several Windows-specific rootkits have appeared online in the past couple of years. They tend to be bundled with the most dangerous kinds of malware, such as keystroke-logging tools that steal passwords.

Strengths and Limitations

Rootkits themselves are merely a means to an end; by hiding components of a Trojan horse application, for instance, a rootkit can help the malware evade detection by traditional antivirus scanners. RootkitRevealer can detect the presence of several common rootkits for Windows computers running NT, 2000, or XP--but not 95, 98, or Windows Me.

RootkitRevealer does have some limitations. In order to use it effectively, the user must understand how to evaluate the information it provides.

The program also cannot remove or "quarantine" rootkits it finds, and it cannot definitively tell you whether a file it finds is, in fact, part of a rootkit. If you find something that shouldn't be there and your antivirus program can't remove it, says Russinovich, "the correct response is to repave."

"That's IT terminology for completely scrubbing the machine," he explains. "You have to format the drive, completely wiping out all the data, and reinstall Windows."

Your First Rootkit Scan

The program is free to download from Russinovich's Web site, Sysinternals. There's no installation process; simply unzip the files and run the RootkitRevealer.exe application.

There are a few caveats you should know before you run your first scan with the program. The first is that while RootkitRevealer is running, you shouldn't do anything at all with the PC. Put down the mouse, back away slowly, and let the program do its work.

You should also turn off any program that might activate during the scan, such as a screensaver, an antivirus tool, or any other running program. Switching focus to another program, or allowing other programs to activate during the scan, won't cause your system to crash, but doing so may cause the RootkitRevealer program to display inaccurate or misleading results.

So turn off all other programs, open RootkitRevealer, click the Scan button in the lower left corner of the application's window, and sit back and watch.

Evaluating the Results

Almost as soon as you begin the scan, you'll see some results. When the program completes its scans, the Scan button (which changes its label to Abort during the scan) will change its name back to Scan. The bottom of the window will also tell you how many "discrepancies" were found in the scan.

RootkitRevealer always creates a list of NTFS metadata files for each hard drive partition. These files are created as part of the normal functioning of Windows, and don't necessarily indicate the presence of a rootkit.
RootkitRevealer always creates a list of NTFS metadata files for each hard drive partition. These files are created as part of the normal functioning of Windows, and don't necessarily indicate the presence of a rootkit.
Several of the discrepancies are completely benign. For instance, the first 10 to 20 results will look like Registry keys, but will have the word "Access denied" next to them (see screen shot at left). These are normal results and appear on every computer, whether or not a rootkit is present. They do not indicate the presence of problematic files.

RootkitRevealer initially displays a list of inaccessible Registry keys. These are usually benign entries, and don't indicate the presence of a rootkit.
RootkitRevealer initially displays a list of inaccessible Registry keys. These are usually benign entries, and don't indicate the presence of a rootkit.
Following the "Access denied" entries, you'll see a list of what look like Windows folder names that begin with a dollar sign (see screen shot at right). Russinovich says these files (he calls them NTFS metadata files) are a normal part of Windows' NTFS file system, and both the number and names of the files vary from system to system. For each drive partition on your computer, the program will compile a list of these NTFS metadata files. These also appear on every computer, whether or not there's a rootkit present.

If you see other files that carry a description of "Hidden from Windows API," however, that could be cause for concern. These files might be located in a temporary folder, the Windows folder, or elsewhere on the hard drive. If you see some of these files, you should try to navigate to their location(s) using Windows Explorer, and simply look to see if you can see them there. If you can't see the files using Explorer, that could indicate the presence of file-hiding software. But it's not a smoking gun.

If, for instance, you run Internet Explorer and visit a Web site during the scan, RootkitRevealer may report any files the browser stores in its cache as "discrepancies"--even though those files may not be harmful in any way.

And he adds, some legitimate programs use file-hiding techniques as part of their normal operation. Russinovich says users of the program have reported that Kaspersky Antivirus, in particular, generates thousands of false-positive results.

Programs, documents, and temporary files should not be "invisible" to the operating system. If any of these kinds of files show up in RootkitRevealer's scan results, it may indicate the presence of an installed rootkit.
Programs, documents, and temporary files should not be "invisible" to the operating system. If any of these kinds of files show up in RootkitRevealer's scan results, it may indicate the presence of an installed rootkit.
But programs whose filenames appear as long strings of seemingly random letters and numbers are more troubling results (see screen shot). If you see such files, Russinovich recommends that you update your antivirus software, then run the most detailed possible virus scan you can.

The tool is still in its infancy, and may have bugs, so Russinovich recommends that, if you're not sure whether a file is associated with a rootkit, you should search the Web and/or Usenet to do some research before taking the drastic step of blowing away your operating system and data.

Subscribe to the Daily Downloads Newsletter

Comments