Best free rootkit scanners
Easy way to detect infections
In the editorial column in issue #157, I suggested that you submit a HiJackThis log of your computer to free security forums to identify possible malware infections. Several users wrote in to say that many forums no longer provide this service. Here's an alternative that's quicker and simpler, though not quite as accurate: Use a web service that will analyze your HiJackThis log using an automated technique. I know of two such services. All you have to do is paste your HJT log to the website and the results come back within seconds. Of the two sites, I found the analysis from the first site more informative.
http://www.hijackthis.de
http://hjt.networktechs.com/
Top free tools for rooting out rootkit spies
|
By
Scott Spanbauer
An easy-to-use rootkit detector and cleaner makes trapping this sneaky spyware a snap. Whether you're comfortable sorting through your PC's processes and Registry keys manually or you prefer to have someone else do the sleuthing, there's a rootkit detector for you. |
Find the malware hiding on your system
Even if you use a firewall and set your antivirus software to update its virus definitions automatically, your PC may not be safe from rootkits.
By manipulating the operating system at a low level, these malware programs can install PC keyloggers and backdoor programs surreptitiously on your PC. Then their authors are able to spy on your activities and control your system remotely.
Though many antivirus vendors have added rootkit detection and removal to their programs' arsenal of anti-malware weaponry, not all antivirus programs are rootkit-savvy. Even if your security software claims to defend against rootkits, you may benefit from a second opinion.
I tested a number of free rootkit detectors for Windows XP and Windows Vista, and my clear favorite is F-Secure's Blacklight, which combines thorough system scanning with the familiar interface reminiscent of a standard antivirus program.
On the other hand, do-it-yourself types will find plenty to like in GMER. The utility offers fine-grained control over which files it scans, and it produces detailed reports of your system's processes, files, Registry entries, and other rootkit-related information.
Trend Micro's Rootkit Buster beta is similar to Blacklight, but the program's scans are suspiciously brief.
I ran the three rootkit scanners on two different PCs: one running Windows XP and the other Vista. Since none of the programs found anything dangerous on either system, I wasn't able to test their rootkit-removal skills, which generally involve renaming or deleting the problem files and processes they discover.
Fortunately, German research group AV-Test recently completed an exhaustive test of more than 20 rootkit-removal tools of all types. Mark Joseph Edwards' PC-Tune-Up column in this week's issue describes those results.
If it wasn't for the fact that all three utilities reported the same result, I might have doubted their cheerful news. That's why I recommend that you use more than one rootkit remover on your PC.
Doing so is easy, since all three of the programs I tested are only about 1MB in size. Also, they require no installation or registration, and — unlike running multiple antivirus programs — the rootkit scanners don't conflict with one another.
The simple, secure way to check for rootkits
Antivirus maker F-Secure was one of the first vendors to offer a standalone rootkit detector and remover. In fact, the rootkit-rooting capabilities in F-Secure's Blacklight utility are also found in the company's U.S. $80 F-Secure Internet Security 2008 suite as well as in its free online virus scanner.
Blacklight is about as easy to use as a program can be: just download and run, no installation necessary. By default, Blacklight scans for hidden processes, files, and folders. Although not listed, the utility also checks the hard disk's master boot record.
Figure 1. F-Secure's free Blacklight rootkit-scanning utility is a snap to use.
The program's scan took only three minutes to complete on my lightly used and relatively fast Vista test system. On the slower Windows XP laptop, however, the scan lasted a good half-hour.
When Blacklight identifies a hidden file or process, it prompts you to rename the interloper to prevent it from functioning in the future. You can also run Blacklight in a more aggressive mode, although the company says doing so could produce false-positive results.
A complete — albeit slow — rootkit scanner
GMER may be the most thorough rootkit detector and cleaner available. The program scans for hidden processes, files, NTFS alternate data streams, services, Registry keys, drivers, and suspicious hooks into drivers.
Like the other two free rootkit scanners I tested, GMER requires no registration or installation — just download the program, extract it from its zip archive, and run the scan.
GMER's scans take nearly as long as Blacklight's to complete, which may indicate that GMER is doing a very thorough search. Hidden processes that the program thinks are malware of some kind are highlighted in red. GMER then adds a delete command to its context menu.
When a fast scanner may be too fast
Like the Blacklight and GMER rootkit detectors, Trend Micro's Rootkit Buster is a download-unzip-run affair. The program's few scanning options are straightforward: files and master boot record, Registry, processes, and drivers. To rid your system of the rootkits it finds, simply select the detected items and click the Delete button.
My only concern regarding Rootkit Buster is that the program's scans took almost no time to complete on the Vista test system, and only a few minutes to finish on the XP test machine, compared to Blacklight's 30-minute-plus perusal. While the quick scans could simply be the result of better programming, I suggest that you use Rootkit Buster as an adjunct to another rootkit detector.
Scott Spanbauer frequently writes for PC World, Business 2.0, CIO, Forbes ASAP, and Fortune Small Business. He has contributed to several books and was technical reviewer of PC Hacks.
What to do if you think your PC is infected
Every week I get letters from subscribers who are worried that their PC may have become infected after they've downloaded and installed a program.
Many of these so called "infected download" problems are due to a security scanner claiming a program is infected when in reality it is not; that is, a "false positive." While this doesn't worry experienced PC users, it certainly scares the hell out of the average Joe or Jane.
These false positives have become increasingly common as security vendors employ "behavior-based" checking to augment their signature scanners.
Behavior-based checking works on the principle "if it acts like malware it probably is malware." All too commonly, it isn't.
Despite the fact that false positives are common, you still need to follow up on suspected problems, because malware infections are also common. So if you fail to investigate, you will never know if the problem is real or just a figment of your security program's imagination.
Here's Gizmo's simple, zero-cost, three-step procedure to follow next time you feel your PC might have become infected as the result of installing a program you downloaded.
(a) First, upload the installation file of the program you installed to Jotti.org [1] for a free scan. Jotti will then run it through more than a dozen malware scanners and let you know if there is a problem.
If Jotti determines that your file is clean, it doesn't mean that there is no infection. It simply means that it's unlikely there is an infection, and that folks, is a very comforting finding.
(b) Download and run the free Panda Rootkit detector [2]. Again, a clean scan is not a 100% guarantee of no infection, but should add greatly to your confidence. Panda doesn't run on Vista, so Vista users should use the BlackLight [3] anti-rootkit scanner instead.
(c) Finally, download HijackThis from this page [4], and follow the instructions on the same page which tell you how to create a log that you can paste to web forums.
There are several forums where you can post. You can find two here [5], [6] and many more by doing a Google search on "Post HiJackThis log". Tell the forum helpers you have already done a Jotti scan and a rootkit scan, and let them know what the results of these scans were.
The folks in the forum will then let you know if you have a problem. If you do, they will also be able to tell you how you can get rid of it permanently. And it won't cost you a cent.
Now in most cases you will find that nothing shows up with Jotti, the rootkit scan or HiJackThis. That's good news. OK, you have spent some of your time chasing a false lead, but that's a lot better than having an infected PC and doing nothing about it.
[1] http://virusscan.jotti.org/
[2] http://www.majorgeeks.com/Panda_Anti-Rootkit_d5457.html
[3] http://www.antirootkit.com/software/F-Secure-BlackLight-Beta.htm
[4] http://www.whatthetech.com/hijackthis/
[5] http://www.techsupportforum.com/security-center/hijackthis-log-help/
[6] http://forum.piriform.com/index.php?showforum=12
Free security scan of your running processes
Software vendor Uniblue is offering a free process scanner [1] that you can download and run on your PC. There are many excellent free process scanners but what's different about this one is that it cross checks each of your running processes against Uniblue's huge internet catalogue of legitimate and known malware programs. If one of your programs is a security risk it is flagged. It works quite well, and if you use it together with a good rootkit scanner such as Panda [2] you should be able to pick up just about any secret malware infection lurking on your PC.
[1] http://www.processlibrary.com/processscan (901KB)
[2] http://www.pandasecurity.com/homeusers/downloads/docs/product/help/rkc/en/rkc_en.htm
Are security programs up to the task?
Yesterday morning I was in my kitchen reading the Saturday newspaper while casually relaxing with a cup of coffee.
Then a headline just jumped off the page.
"Rootkits on the Rampage" it read.
I quickly read the article. It was the usual sensationalist stuff: hospital computers rendered useless, pensioners' life savings stolen and worse.
But behind the hype there was an element of truth in the story. Rootkits are becoming more common. However, what the tabloid story didn't mention is the fact that rootkits are not only becoming more common; they are also becoming much more sophisticated. Furthermore they are only part of a much greater problem of ever-escalating malware sophistication and the increasing prevalence of blended threats.
A blended threat is the malevolent equivalent of a layered defense. Such threats use multiple means to defeat your computer security programs. They consist of bundles of different products and different techniques acting together to enhance the potency of the payload products.
Hiding a spyware program by a rootkit is a simple example of a blended malware threat but they come much more sophisticated than that.
Recently I encountered one that used three different retro routines to try to pull down my anti-malware and anti-rootkit defenses. It then installed a rootkit to mask a trojan downloader and then forced a system reboot. On reboot the stealthed trojan downloader then downloaded two different keyloggers one of which was further stealthed with another quite different rootkit. When the keyloggers phoned home with their payload of captured keystrokes they tried to bypass my Kerio firewall using an obscure vulnerability in that product.
In this particular case there were no obvious signs of infection. No blatantly obvious browser toolbars or popup ads. The folks who produced this nasty wanted the product to remain undiscovered.
Worse still, the rootkit stealthing meant that many security programs would report the infected computer as malware free even though every keystroke I made was being recorded and uploaded to a foreign site.
Thankfully, there are some rootkit detectors such as IceSword and Sysinternals' Rootkit Revealer that can still pick even the cleverest rootkits currently in use.
Thankfully, too, many security programs are well hardened against attack by retro routines. Kaspersky AV and NOD32 are examples and there are quite a few others as well.
But quite a few security programs are not up to the task of defending against modern blended threats. An example is the popular SpyBot Search and Destroy anti-spyware program. It can't detect rootkits and can be pulled down with ease. The equally popular Ad-aware fares little better. And you can add to these a whole lot more.
These programs were great in their day but the rapid escalation of spyware sophistication has left them trailing behind. Sure they will still pick up many malevolent programs but frankly they are just not up to the task of detecting the latest generation of threats.
So what are we to do?
I can see two ways forward: The first is to reduce your chance of infection. The second is to only use the best security products available.
These are not exclusive choices; both should be pursued.
Neither path is easy but both can be navigated.
Next month I'll start a multi-part series of articles to show you how. It will pull together all the material I've covered over the last year on layered security protection and safe browsing into a set of specific recommendations how to protect your computer.
Furthermore I'm going to tell you the security programs I've tested that cut the mustard and those that don't. I know this won't make me any friends in the industry but frankly the computer security situation has become so serious that it's time for some straight talking.
See you next month.
Gizmo
Rootkits - The Musical
A great video parody of rootkits by an Aussie rock band of the same name.
http://video.google.com/videoplay?docid=9151435244001559688