This post originated from an RSS feed registered with .NET Buzz
by Robert Hurlbut.
Original Post: Rootkits revealed
Feed Title: Robert Hurlbut's .Net Blog
Feed URL: http://www.asp.net/err404.htm?aspxerrorpath=/rhurlbut/Rss.aspx
Feed Description: Development with .Net, Rotor, Distributed Architectures, Security, Extreme Programming, and Databases
Nice tool. The RootKit Detector looks like it performs similar to GhostBuster, except without the CD reboot. It does a Windows API scan and then compares results to a file scan, all within the same OS session. While this is a good attempt to catch Rootkits, it can be argued it is not as ideal a solution as the CD reboot/offline scan found with GhostBuster. Here is an interesting blurb from the RootKit Detector's documentation:
Is there a sure-fire way to know of a rootkit's presence?
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer can be compromised. While comparing an on-line scan of a system an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.
The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.
Unfortunately, the on-line/off-line method used by GhostBuster is not publically available from Microsoft Research (see Bruce Schneier's request for this). Hopefully we will have this kind of version available from someone soon.
Previous Topic
